site to site + dynamic ip

[ekke]

Hi,
i have to set up site to site with one side have dynamic ip.

i have this config that works great for site to site with static ip. what can i change to get it to work for dynamic setup?


access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
!
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
!
sysopt connection permit-ipsec
!
crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp policy 11 hash md5
crypto isakmp policy 11 authentication pre-share
crypto isakmp policy 11 encryption 3des
crypto isakmp policy 11 group 2
crypto isakmp policy 11 lifetime 86400
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside
!
crypto map boras 1 match address 100
crypto map boras 1 set pfs group2
crypto map boras 1 set peer *.*.*.*
crypto map boras 1 set transform-set myset
crypto map boras interface outside
!
tunnel-group remotesite type ipsec-l2l
tunnel-group remotesite ipsec-attributes
pre-shared-key my_key
isakmp keepalive threshold 10 retry 2
!

//:EkkE

 

[Supergrrover]

Here is what you are looking for - the problem is that the remote device must initiate the connection because the head end doesn't know the ip since it is dynamic -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[desperado618]

I believe in 7.x (definitely in 8.x)FQDN based VPN tunnels are supported. That in conjunction with Dynamic DNS will solve your issue and will allow the vpn to be initiated on either side.

http://www.NetLeets.com

IT Security news and information
In plain English

 

[Supergrrover]

deperado,

Do you have a doc or anything supporting this? The command reference for 8.0 says you have to use an known ip.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2193237

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ekke]

anybody have a copy of a working config?

 

[Supergrrover]

The link in my first post has copies of both the head-end and remote configs.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ekke]

Hey Supergroover.

i tried to pick out what i need, can you confirm the files below if im missing anything.

//:EkkE

ASA1
access-list 100 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *

ASA2
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 172.18.124.166
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 172.18.124.166 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600

 

[Supergrrover]

That looks good.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[nhidalgo]

ekke,

Were you able to add this dynamic mapp to your ASA even though you already hava static setup. I want to do the same, but don't want to break what i already have working with the static cyrpto map.