urgent-Site-Site VPN with ASA having Dynamic Peers

Unanswered Question
Aug 5th, 2009
User Badges:

hi all,

I got stuck in configuring Cisco ASA for site-site vpn with both peers having Dynamic IP.I cannot configure the peer identity as hostname through asdm.eg:abc.selfip.com . I checked in the NetPro also, but I didn't get any satisfactory explanation.This scenario is possible in some other devices like Sonicwall, where we can enter the peer identity as hostname at both sides.

Can someone help me on this issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ivarnhagen Wed, 08/05/2009 - 05:22
User Badges:


I'm sorry, but according to my knowlege this isn't possible with 2 Cisco ASA's with a dynamic IP on each side of the VPN. At least one side needs to have a static IP (the other side would connect with aggressive mode).

You could configure one side (e.g. called BR) as an EasyVPN Hardware Client, which connects to the other side (e.g. called HQ) via FQDN. You would need to run a DynDNS service at the HQ side (also not supported on the ASA).

However if the HQ IP changes, the DNS cache of the BR ASA still holds the old IP. The BR ASA would need to be rebooted for it to connect again in a reasonable amount of time. This was the case with ASA v7.2(4)...maybe the behavior is different with v8.2(1)

Site-to-Site VPNs work most reliable if both sides have static IP's.



pranavam_dileep Wed, 08/05/2009 - 21:02
User Badges:


can I establish site-site by creating certificates of domain names.If so how can I do that.




This Discussion