Using static- and dynamic-addressed L2L VPN tunnels

Answered Question
Sep 4th, 2008

We have an ASA 5510 running 8.0 at our company HQ. We have remote sites that need to create L2L VPN tunnels to the HQ ASA. Some remote sites have static IP's and others have dynamic IP's.

I have found Cisco documentation for static-IP L2L VPN tunnels and have them working. I have found other Cisco documentation for dynamic-to-static-IP L2L VPN tunnels using the "DefaultL2LGroup" tunnel-group.

My question is, can you have both kinds of L2L tunnels on the same ASA? If so, will simply using the "DefaultL2LGroup" tunnel-group and <IP> tunnel-group definitions work? Is there a reason not to do this? Is there a better technology (ASA at HQ and a combination of ASA 5505's and 1861's at the remote sites) available?

I have this problem too.
0 votes

Yes you can have both kinds of L2L tunnels. if you are using a PSK - remember the IP address of the remote site is used to "validate it" for connection to the HQ. As long as you are using a secure PSK = 64 chars and about with upper/lower alpha numeric - you should be OK.

A better way of doing it - is get static IP addresses for the site that currently have DHCP from the ISP.

HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer

Yes you can have both kinds of L2L tunnels. if you are using a PSK - remember the IP address of the remote site is used to "validate it" for connection to the HQ. As long as you are using a secure PSK = 64 chars and about with upper/lower alpha numeric - you should be OK.

A better way of doing it - is get static IP addresses for the site that currently have DHCP from the ISP.

HTH>

otaku-genghis Tue, 09/09/2008 - 12:26

Thank you for the reply. I configured the DefaultL2LGroup tunnel-group and successfully set up a VPN tunnel from a dynamically-addressed PIX.

Note:

1 You have to issue "show running-config all" to see the DefaultL2LGroup entries

2 There may be a problem with PIX-to-ASA VPN tunnels when the HQ ASA has multiple ISAKMP policies. Setting the remote side to the highest-numbered ISAKMP policy brought the tunnel up immediately.

Actions

This Discussion