Hi Andrew

"AFAIK - you cannot configure a VPN on a device that has a dynamic IP address for a site to site connection"

I may be misunderstanding the above but you can create a site-to-site VPN from a device with a dynamic IP address but it is less secure. Also at least one end would need a fixed IP. Basically you configure a dynamic crypto map entry and where you would configure the peer IP address you use 0.0.0.0 which means any remote peer can connect. Obviously the importance of the shared key/certificate then becomes even more significant.

If i have misunderstood just ignore me :)

Jon

Jon,

You are right of course - One end would have to have a static IP address, it's bascially just like a remote VPN client connecting, but it's actually a remote site.

In those cases - the need for security is paramount, and I have implemented IKE negotiation to the highest levels, with a 168 charecture PSK, with a low key lifetime.

So say using AES256, DH Group 5 and SHA - with a life time of 1 hour and PFS......if someone was able to capture the key negotiation then try and crack it - they would have to do it in one hour, before ALL keys are renegotiated.

Not fogetting the AES256 encryption - the strongest on the planet!

Andrew.

Hi Guys & Gals,

Additional info.

It is a client-to-site vpn. We only limit 1 user per remote location and to one particular PC only. We have about 20 sites, and all these sites are using dynamic IP (due to low cost). Other than this forum, I have received mixed info from a number of people. Some said that I could set up a vpn access even if I have dynamic IP on the outside (WAN) of ASA5505. Some said I must have a fixed IP.

So to verify this, has anyone really configured vpn to work on ASA5505 using dynamic IP on the outside (WAN) of ASA5505? If yes, how was the setup?

If the dynamic IP works, and fixed IP only provide added security and nothing else, then my management would have to decide which to go for. fyi, the difference in broadband cost over here (dynamic vs fixed IP) is a whooping $5000 a month.

Any thoughts?

Eric,

Which ever way you dress it up it's like this:-

To communicate over the internet from point a to point b, you need an IP address or name.

The ASA5505 must either have a static IP, or a DHCP - but with DHCP you will need DDNS.

If you have a static IP address on the ASA5505 - cool, all remote VPN clients have the IP address statically configured. IF you have DHCP and DDNS, then the remote VPN clients will have the domain name as the end point.

HTH>

Hi Andrew,

Thank you.

Any idea if DDNS acn be enabled in ASA5505?

As a matter of fact it does, see the below config link for examples:-

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html

HTH>

Hi Andrew,

If that is the case, all I need to do is register a dns name with a ddns provider, enable ddns in ASA5505, and I am done, isn't it?

In theory yes - that's all it requires.

Hi Andrew,

Many many thanks.