04-08-2010 03:13 AM - edited 03-04-2019 08:04 AM
Hi All,
I have 881G router and wireless internet connection will be activate with 3G.
Now I have to establish the communication between this new site to our DC.
But there is no any static public IP.
Can some one have any ideas how can achive this.
My manager said, we can make easy VPN with 881G behind DSL (without public static IP). And also we can do dynamic DNS.
This is first time I am hearing. Experts can anyone help me with easy VPN and dynamic DNS please
Regards,
Naidu.
04-08-2010 03:29 AM
Hello Naidu,
>> But there is no any static public IP.
A dynamic crypto map can be used for this with IPSec
! shared key between dynamic peers
crypto isakmp key !xxxyyhdddw! address 0.0.0.0 0.0.0.0
crypto dynamic-map VPN_DYN 10
set transform-set 3DES
match address 133
reverse-route
crypto dynamic-map VPN_DYN 20
description --- Dir. XX---
set transform-set 3DES
match address 146
reverse-route
crypto dynamic-map VPN_DYN 30
description --- Dir. YY---
set transform-set AES256
match address 117
reverse-route
the dynamic crypto map can be made of multiple blocks as shown above and then is invoked as last block in a regular crypto map:
! last block of peers with static IP address
crypto map VPN_MAP 1160 ipsec-isakmp
description --- Screening 2010 ---
set peer X.Y.146.105
set transform-set AES128
match address 121
reverse-route
! dynamic crypto invoked as last block
crypto map VPN_MAP 65000 ipsec-isakmp dynamic VPN_DYN
!
Hope to help
Giuseppe
Rate useful posts to help Haiti
04-08-2010 03:49 AM
Hi Giuseppe,
Thanks for your response.
Shall I put the below configuration on 881G?
The other end at DC we have ASA5520.
Can you please explain me briefly how it will work as I am entirely new to this.
Regards,
Naidu.
04-08-2010 04:42 AM
Hello Naidu,
sorry for confusion:
the config template is for the central site device
the 881G can use a static crypto map because public ip address of HQ device is fixed (key point)
note: this is not an Easy VPN configuration but a normal IPSec configuration where dynamic crypto map is used on HQ site to support peers with dynamic public IP address.
The configuration I've reported is in production on our network and allows to support multiple peers with dynamic IP address
Compare this with Easy VPN config examples that have been provided by Lei.
For Easy VPN between an ASA and a router you can also look at the config example
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
Hope to help
Giuseppe
Rate useful posts to help Haiti
04-08-2010 03:49 AM
Hi Naidu,
This is right. On Easy VPN server, you donot need to specify your remote peer IP or hostname. See the configuration guide for Easy VPN server and Easy VPN remote
Server
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1191206
remote
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftezvpnr.html#wp1048417
HTH,
Lei Tian
04-09-2010 02:38 AM
Hi Giuseppe,
I will follow this configuration and see how it will work and let you know the status.
Once again thank you so much for your guide.
Regards,
Naidu.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: