help! site to site with dynamic ip

Unanswered Question
Jan 27th, 2010

Is there a good link anywhere that explains how to set this up where the main office will have a PIX firewall with a static outside ip, and the remote end will be an ASA with a dynamic ip, and we'll need an ipsec tunnel between them? I'm assuming traffic will have to be initiated from the firewall with the dynamic ip, in this case the ASA? But what about once the tunnel is up, will I be able to initate a connection into the network on the ASA LAN from a LAN behind the PIX (assuming its defined in the crypto map)? If I can't connect to the ASA's LAN, will I at least be able to initiate an SSH session to the ASA from the PIX lan? thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mjsully Thu, 01/28/2010 - 06:43

I found that link last night. what I don't like about it is it doesn't just address a site to site between a dynamic ip and a static ip, it throws the vpn client into the works. This part adds to confusion for me and I'm not quite certain which part of the config applies to the remote access vpn vs the site to site. In particular, which lines from the configs in the example (pasted below) apply to the site to site piece of it?

crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco

does the above reference BOTH the remote access and site to site piece of it? while I can appreciate Cisco's doc wanting to cover the additional scenario of remote access vpn's, I'd prefer to see just the config between two firewalls where only a site to site between a static and dynamic is being discussed. I wasn't 100% certain as to which parts of the cisco doc is referencing the config needed for the remote access example, I only need the site to site piece of it.

Laurent Aubert Thu, 01/28/2010 - 13:48

Regarding this example, here is the configuration related to the site-2-site VPN:

access-list 100 permit ip 
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000

All the commands starting with vpngroup are dedicated for VPN client.



pudawat Thu, 01/28/2010 - 16:37

HI Laurent,

The document link from MJ is correct!

The dynamic map is not just fro VPN clients but also for peers with Dynamic IP address so that they can negotiated the tunnel as "user".

Since the tunnel group on the Firewall( w/ static IP) cannot be assigned a Static IP. crypto isakmp key <> address says whatever device comes just try to negotiate the tunnel with it.

The tunnel gets negoiated with a default group by giving a pre-shared key to it!!




This Discussion