Site to site vpn issue

Unanswered Question
Jan 22nd, 2009
User Badges:

Hey guys,

we have ASA 5540 at our main office and we established a site to site vpn with several small offices( small offices have pix 506 and asa 5505) at different places which are connected through cable modems and cable modems pull dynamic ips from cmts.On few of the firewalls at office we assigned a static because when ever cable modem pulls a new ip... we need to change the ip on main ASA 5540 in our office to bring the tunnel up . Is there any other way through which ASA learns the ip by itself and we dont need to manually change the IP on the ASA.

Thank you so much in advance

Kindly help me through this

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
dbellamkonda Fri, 01/23/2009 - 07:12
User Badges:

Thank you so much for the doc.

We already have configs in place for both the firewalls ,, i noticed this .isakmp key ******** address netmask

would thiis all we need

If you can help me how to do it ,,,with commands tht wld be gr8 ,, thnx a lot

JORGE RODRIGUEZ Sat, 01/24/2009 - 19:24
User Badges:
  • Green, 3000 points or more

Davi, Im sorry I did not see your second reply..

For the PIXs meaning the remote sites that have dynamic DHCP in their outside interfaces you need to configure them as regular L2L and specify the Peer address which is the HQ ASA applience that do have static for the outside interface.

Assume HQ ASA oustide interface is

for the pix side would be something similar to :

isakmp key <******> address netmask no-xauth no-config-mode

For the HQ side the crypto map type would be dynamic-map as seen in the example link for LION HQ firewall that is the static side, and the pre-share key you can use the default tunnel group the asa already have DefaultL2LGroup that pre-share key will be used for remote sites to authenticate

the tunnel, PLS try attempting to configure it, pay also attention to the nat exempt access-list 100 seen in the example to permit source and destination networks and apply the access list in nat statement

nat (inside) 0 access-list 100 , and make sure transform sets are identical at both ends . Again make an attempt to configure the tunnel with your first remote site and have that remote side initiate traffic to bring up the tunnel, if tunnel does not come up come back to help you out.

I quote from the link above .

This would be the HQ side for dynamic settings

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

dbellamkonda Mon, 01/26/2009 - 05:52
User Badges:

Thank you so much for your help sir.

Will configure it the way u suggested.

Much appreciated. Than a lot again

JORGE RODRIGUEZ Mon, 01/26/2009 - 10:09
User Badges:
  • Green, 3000 points or more

No problem, PLS let me know the progress, I would suggest starting with the PIX506 site first which will be mush easy. When the PIX side initiate the tunnel and there is not connection issue at remote site PIX or HQ site ASA show crypto isakmp sa, if you see QM_IDLE tunnel would be up but if source hosts cannot connect to dest hosts in HQ we will take a look at the nonat access-lists at both ends.


PIX506LAB#show crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

63.x.x.x 68.x.x.xx QM_IDLE 0 1



dbellamkonda Mon, 01/26/2009 - 11:35
User Badges:

Thank you so much for your help.

Our managers want us to test this with the equipment we have and show them the results first before we put this into the production network.

will keep you updated.

Would the tunnel come up by itself even after the pix at office pulls another Ip or after it pulls another ip do we have to clear ipsec and isakmp sessions to bring tunnel up ?

Thank youy so much again for your time and patience

JORGE RODRIGUEZ Mon, 01/26/2009 - 12:31
User Badges:
  • Green, 3000 points or more

Would the tunnel come up by itself even after the pix at office pulls another Ip or after it pulls another ip do we have to clear ipsec and isakmp sessions to bring tunnel up ?

If this would happen on the PIX side then you need to send interesting traffic from the remote side to bring up the tunnel backup , interesting traffic could be a PING or RDP that generates traffic that will go through the tunnel, remember the HQ is dynamic and will accept the connection on a new IP from the DHCP side as long secret keys or any other config pertaining to the IPsec policy is NOT changed at either end.

Usually on the dynamic DHCP side may pick a new IP if pix is rebooted or the lease time the ISP provider has it set for certain time/dates. If Im not mistaken DHCP leases last quite a while but all depends on ISPs.

keep us posted and pleasure to help.



This Discussion