Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Establish VPN from Static IP to Dynamic IP

Status
Not open for further replies.

natesin

MIS
Mar 13, 2001
128
US
I am not sure if this is possible, but if any one knows of a way to accomplish the following, please share.

I want to initiate a connection from an ASA that has a static public address to an ASA that has a dynamic address. I am not sure how this would be possible, but if so, please explain.

TIA

Natesin...

I am Nate, for I have sinned.
 
You could use a service like DynDNS to provide a domain name for the dynamic ASA. The ASA doesn't have a DynDNS client, though, so you would need a PC or something behind the ASA to update the service when the dynamic IP changes.

Matt
 
I was thinking DYNDNS, but I thought there may be another otpion.

Thanks!!

Natesin...

I am Nate, for I have sinned.
 
There's a CISCO whitepaper on this. Go to CISCO.com. It's right on the ASA config docs page.

And DYNDNS isn't going to allow you to setup an IPsec tunnelf rom an ASA to ASA. You need to configure your ASA to accept a default pre-shared key from any IP address.

DYDNS is something else entirely.
 
Why would DYNDNS not work here?

Natesin wants to initiate a connection from an ASA with a static IP address to an ASA with a dynamic IP address. This could work at least two ways.

1. If the static ASA is configured as an EZVPN client it can be configured to connect to a hostname:

Code:
ASA(config)# vpnclient server ?

configure mode commands/options:
  Hostname or A.B.C.D  The IP address or name of the primary server
  WORD < 129 char      The DNS host name of the primary server
ASA(config)#
ASA(config)# vpnclient server whatever.dyndns.org

Thus, a DYNDNS address is used as the target. This requires that the dynamic ASA be set up as an EZVPN server, which does accept connections from all comers, but with XAUTH you don't have to rely solely on a default preshared key.



2. A LAN to LAN tunnel could also be used here with DYNDNS and without the need to accept a default preshared key from any IP address, though it gets more complicated.

You can use the FQDN of each peer in your tunnel group configuration instead of an IP address. The static ASA is configured with the peer whatever.dyndns.org and the dynamic ASA is configured with the peer whatever.natesin.net.

I don't recall specifically what the caveats are for this, but I'm pretty sure certificates, rather than PSKs, are required to do this. There might be something else, too.



Matt
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top