dynamic ip vpn

Unanswered Question
Aug 12th, 2008

hai friends,

i want to create site to site vpn between two sites but both the sites having dynamic ip.my question is ,is it possible to create site to site otherwise any other way is there ..if site to site is possible send any documentation

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 08/13/2008 - 04:08

No you cannot make a site-2-site vpn with dynamic IPs on both sides. Dynamic crypto maps don't allow you to initiate connections, if both sides have dynamic crypto maps, who will initiate the connection?

You can setup a remote-access VPN. Preferably register the VPN server IP with dyn-dns. Then just enter the dyn-dns hostname of the VPN server in the Cisco VPN Client. Just make sure you are running a newer version of the Cisco VPN Client.

Regards

Farrukh

zeuscyril Sun, 08/24/2008 - 22:37

by register with ip dyn-dns we cant create site to site vpn .using hostname we can communicate ?...otherwise tell me possible way.

Farrukh Haroon Mon, 08/25/2008 - 04:32

Yes it should work. Just make sure you use the latest version of the Cisco VPN Client.

Regards

Farrukh

zeuscyril Mon, 08/25/2008 - 06:08

thankyou for ur reply

i am not asking about remote vpn client...

it is possible to create site to site vpn using these dynamic dns hostname..

because i am having both sides dynamic ip.

if it is possible give me some example

thanks..

Farrukh Haroon Mon, 08/25/2008 - 06:20

I already told you that you cannot. From my original response:

"No you cannot make a site-2-site vpn with dynamic IPs on both sides. Dynamic crypto maps don't allow you to initiate connections, if both sides have dynamic crypto maps, who will initiate the connection? "

Please rate if helpful.

Regards

Farrukh

zeuscyril Mon, 08/25/2008 - 06:54

thanks for ur reply..

so there is no solution...so only possibility is remote client

zeuscyril Mon, 08/25/2008 - 22:37

hai

i configured remote client in asa 5505 and everything working fine.remotely connecting but the ip address and gateway is same..

for example i assign a pool 192.168.1.10-192.168.1.20

the ipconfig remotely

ip addrss 192.168.1.10

subnet 255.255.255.0

gateway 192.168.1.10...

so i am not able to access anything.

Farrukh Haroon Mon, 08/25/2008 - 23:33

That default gateway is normal. Don't worry about that.

'acesss anything' what do you mean? Did you check the encr/decr on the ASA and the VPN client?

Regards

Farrukh

zeuscyril Mon, 08/25/2008 - 23:40

not able to access means

i am trying to access that asa but itis not communicating and i tried to ping the asa also...request timed out is coming ..i tried telnet also..nothing is happening..i am attaching my config in this...

Farrukh Haroon Tue, 08/26/2008 - 04:10

What is the point of defining a 'permit any' ACL and then doing a 'tunnelspecified'? Just do a "tunnelall".

Is phase 1 and 2 UP after the client connects? Do you see encap/decap?

show crypto ipsec sa

Regards

Farrukh

gsobeski Wed, 08/27/2008 - 09:25

setup a DMVPN using NHRP at the hub site, which will keep track of the current global IP address at the two spokes, and they will be able to dynamically form tunnels between them, and even if the address changes, those updates will re-register with the NHRP server. That's assuming this is IOS-IOS VPN.

rm760 Tue, 12/14/2010 - 11:39

Have you tried using a dynamic update client on a computer inside each firewall and then building the VPN using FQDNs instead of the IP address.

Bastien Migette Thu, 12/23/2010 - 06:02

What devices are you using ?

You can have One device with dynamic IP using easyVPN Server/client feature for sure, and I think you can have both with dynamic IP by using a DNS name instead of IP to define ezVPN server on client.

rm760 Thu, 12/23/2010 - 12:12

Thank you for your input but both end points devices are ASA5505 firewalls and I need site to site connectivity.  

Bastien Migette Thu, 12/23/2010 - 23:39

So you can configure one asa with remote vpn as described here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

and enable network extension mode:

      group-policy VPNGP attributes
        nem enable

and on the other side, confiugre your asa as a easy vpn client. Asa server should have a DNS pointing to its IP, you can use dynamic DNS features:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1091527

      vpnclient mode network-extension-mode
      vpnclient nem-st-autoconnect
      vpnclient vpngroup VPN_Tunnel password VPNPSK
      vpnclient username xauthuser password xauthpwd
      vpnclient server asaserver.mycompany.com
      vpnclient enable

Network extension mode permit that user behind the asa acting as client access and be accessed through the VPN Tunnel. Default mode (client mode) will make the client asa NAT/PAT the inside hosts so they appear as being the asa.

If that solves your pb, please mark thread as resolved and/or rate it.

Actions

This Discussion