Dynamic Site to Site Tunnel

Unanswered Question
Jun 26th, 2008
User Badges:

What would need to be changed for this to be dynamic?


access-list 100 extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

access-list nonat extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map outside_map 20 match address 100

crypto map outside_map 20 set peer xx.xxx.xxx.101

crypto map outside_map 20 set transform-set myset

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


tunnel-group xx.xxx.xxx.101 type ipsec-l2l

tunnel-group xx.xxx.xxx.101 ipsec-attributes

pre-shared-key ciscorules








  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rmwhite59 Thu, 06/26/2008 - 07:30
User Badges:

Clarification:


ASA has a static IP

PIX has a dynamic IP


I need to create a site to site tunnel between them

acomiskey Thu, 06/26/2008 - 07:45
User Badges:
  • Green, 3000 points or more

On the ASA, use the DefaultL2LGroup, don't create a tunnel group with ip address of the pix, as it will change.


tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *


and...


access-list 100 extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

crypto dynamic-map dyn_map 10 match address 100

crypto dynamic-map dyn_map 10 set pfs

crypto dynamic-map dyn_map 10 set transform-set myset

crypto map outside_map 20 ipsec-isakmp dynamic dyn_map


Actions

This Discussion