Cisco BiDirectional IPSEC Tunnel remote office has dynamic outside IP 2

[gb0mb]

Hello,

I am trying to find information on how to create a bi directional ipsec tunnel to a remote office. The remote office does not have a static IP address, the corporate however does.

I am not sure if this is even possible. The only thought I had on achieving this would be some sort of dyndns client.

I assume you would need dynamic access lists, policies, ect to account for the eventual change of an IP address.

Any thoughts would be appreciated.

Thanks,

G

Gb0mb

........99.9% User Error........
Ubuntu -- African for I can't install Gentoo

 

[PScottC]

I just went through this. You can create a static VPN configuration on both sides and hope that the IP doesn't change. (Which is a pretty good possibility. I haven't had an IP change for over a year.)

Your alternate is to configure a static connection on the remote ASA and a dynamic connection at your main office. This is the configuration that I went with. The only trick is that the remote must always initiate the VPN connection. The way I got around this issue was to configure syslogging on the remote to send data to the main office. With this method, my VPN never goes down.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[gb0mb]

Thank you for the info.

I like the idea of the syslog to keep it alive.

The alternative you suggested:

Remote ASA Make A static tunnel back to "Corporate"
Corporate ASA Dynamic VPN so the remote IP would not matter.

Does this alternative allow bidirectional communications?
Since you have syslog "heartbeats" going accross the tunnel to keep it up, can you initiate traffic to the remote site?

For example using your alternative approach could I from my corporate desktop initiate a remote desktop session on a machine on the remote site?

Thanks again for the help.

Gb0mb

........99.9% User Error........
Ubuntu -- African for I can't install Gentoo

 

[Supergrrover]

Here is a guide to the setup -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

All the VPNs (unless you specifically block it) will allow bi-directional. Once the tunnel is up, either side can initiate traffic. If the tunnel is down, only the dynamic side of the tunnel can initiate and that will bring up the tunnel. I find windows chatty enough that I don't really bother with a heartbeat type setup. I have setup a pc on the far end to send a block of pings on a timer every 30min.

You don't want to setup a static on both ends and hope your far end IP never changes. It's just a headache.

Good luck, let us know how it goes.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[PScottC]

Supergrrover hit it on the head.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[gb0mb]

Supergrrover thanks for the help.

Is 30 minutes the timeout on the tunnel?

Since this is new to me I just want to make sure I am on the right track.

From the remote site with the aforementioned VPN setup, can I have the remote site machines obtain dhcp leases from the local network? Or is it better to have their own subnet?

I want to say you can configure the firewall to relay certain traffic over the tunnel.

Thanks,

G

Gb0mb

........99.9% User Error........
Ubuntu -- African for I can't install Gentoo