dynamic ip vpn

Unanswered Question
Aug 12th, 2008
User Badges:

hai friends,

i want to create site to site vpn between two sites but both the sites having dynamic ip.my question is ,is it possible to create site to site otherwise any other way is there ..if site to site is possible send any documentation


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 08/13/2008 - 04:08
User Badges:
  • Red, 2250 points or more

No you cannot make a site-2-site vpn with dynamic IPs on both sides. Dynamic crypto maps don't allow you to initiate connections, if both sides have dynamic crypto maps, who will initiate the connection?


You can setup a remote-access VPN. Preferably register the VPN server IP with dyn-dns. Then just enter the dyn-dns hostname of the VPN server in the Cisco VPN Client. Just make sure you are running a newer version of the Cisco VPN Client.


Regards


Farrukh

zeuscyril Sun, 08/24/2008 - 22:37
User Badges:

by register with ip dyn-dns we cant create site to site vpn .using hostname we can communicate ?...otherwise tell me possible way.

Farrukh Haroon Mon, 08/25/2008 - 04:32
User Badges:
  • Red, 2250 points or more

Yes it should work. Just make sure you use the latest version of the Cisco VPN Client.


Regards


Farrukh

zeuscyril Mon, 08/25/2008 - 06:08
User Badges:

thankyou for ur reply


i am not asking about remote vpn client...


it is possible to create site to site vpn using these dynamic dns hostname..


because i am having both sides dynamic ip.


if it is possible give me some example


thanks..


Farrukh Haroon Mon, 08/25/2008 - 06:20
User Badges:
  • Red, 2250 points or more

I already told you that you cannot. From my original response:


"No you cannot make a site-2-site vpn with dynamic IPs on both sides. Dynamic crypto maps don't allow you to initiate connections, if both sides have dynamic crypto maps, who will initiate the connection? "


Please rate if helpful.


Regards


Farrukh

zeuscyril Mon, 08/25/2008 - 06:54
User Badges:

thanks for ur reply..


so there is no solution...so only possibility is remote client

zeuscyril Mon, 08/25/2008 - 22:37
User Badges:

hai


i configured remote client in asa 5505 and everything working fine.remotely connecting but the ip address and gateway is same..


for example i assign a pool 192.168.1.10-192.168.1.20


the ipconfig remotely

ip addrss 192.168.1.10

subnet 255.255.255.0

gateway 192.168.1.10...


so i am not able to access anything.


Farrukh Haroon Mon, 08/25/2008 - 23:33
User Badges:
  • Red, 2250 points or more

That default gateway is normal. Don't worry about that.


'acesss anything' what do you mean? Did you check the encr/decr on the ASA and the VPN client?


Regards


Farrukh

zeuscyril Mon, 08/25/2008 - 23:40
User Badges:

not able to access means


i am trying to access that asa but itis not communicating and i tried to ping the asa also...request timed out is coming ..i tried telnet also..nothing is happening..i am attaching my config in this...



Farrukh Haroon Tue, 08/26/2008 - 04:10
User Badges:
  • Red, 2250 points or more

What is the point of defining a 'permit any' ACL and then doing a 'tunnelspecified'? Just do a "tunnelall".


Is phase 1 and 2 UP after the client connects? Do you see encap/decap?


show crypto ipsec sa


Regards


Farrukh

gsobeski Wed, 08/27/2008 - 09:25
User Badges:

setup a DMVPN using NHRP at the hub site, which will keep track of the current global IP address at the two spokes, and they will be able to dynamically form tunnels between them, and even if the address changes, those updates will re-register with the NHRP server. That's assuming this is IOS-IOS VPN.

rm760 Tue, 12/14/2010 - 11:39
User Badges:

Have you tried using a dynamic update client on a computer inside each firewall and then building the VPN using FQDNs instead of the IP address.

Bastien Migette Thu, 12/23/2010 - 06:02
User Badges:
  • Cisco Employee,

What devices are you using ?


You can have One device with dynamic IP using easyVPN Server/client feature for sure, and I think you can have both with dynamic IP by using a DNS name instead of IP to define ezVPN server on client.

rm760 Thu, 12/23/2010 - 12:12
User Badges:

Thank you for your input but both end points devices are ASA5505 firewalls and I need site to site connectivity.  

Bastien Migette Thu, 12/23/2010 - 23:39
User Badges:
  • Cisco Employee,

So you can configure one asa with remote vpn as described here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

and enable network extension mode:

      group-policy VPNGP attributes
        nem enable


and on the other side, confiugre your asa as a easy vpn client. Asa server should have a DNS pointing to its IP, you can use dynamic DNS features:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1091527


      vpnclient mode network-extension-mode
      vpnclient nem-st-autoconnect
      vpnclient vpngroup VPN_Tunnel password VPNPSK
      vpnclient username xauthuser password xauthpwd
      vpnclient server asaserver.mycompany.com
      vpnclient enable


Network extension mode permit that user behind the asa acting as client access and be accessed through the VPN Tunnel. Default mode (client mode) will make the client asa NAT/PAT the inside hosts so they appear as being the asa.


If that solves your pb, please mark thread as resolved and/or rate it.

Actions

This Discussion