Dynamic Site to Site Tunnel

rmwhite59 · ‎06-26-2008

What would need to be changed for this to be dynamic?

access-list 100 extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

access-list nonat extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map outside_map 20 match address 100

crypto map outside_map 20 set peer xx.xxx.xxx.101

crypto map outside_map 20 set transform-set myset

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group xx.xxx.xxx.101 type ipsec-l2l

tunnel-group xx.xxx.xxx.101 ipsec-attributes

pre-shared-key ciscorules

rmwhite59 · ‎06-26-2008

Clarification:

ASA has a static IP

PIX has a dynamic IP

I need to create a site to site tunnel between them

acomiskey · ‎06-26-2008

On the ASA, use the DefaultL2LGroup, don't create a tunnel group with ip address of the pix, as it will change.

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

and...

access-list 100 extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

crypto dynamic-map dyn_map 10 match address 100

crypto dynamic-map dyn_map 10 set pfs

crypto dynamic-map dyn_map 10 set transform-set myset

crypto map outside_map 20 ipsec-isakmp dynamic dyn_map