Easy VPN with 881G

Latchum Naidu · ‎04-08-2010

Hi All,

I have 881G router and wireless internet connection will be activate with 3G.
Now I have to establish the communication between this new site to our DC.
But there is no any static public IP.

Can some one have any ideas how can achive this.

My manager said, we can make easy VPN with 881G behind DSL (without public static IP). And also we can do dynamic DNS.

This is first time I am hearing. Experts can anyone help me with easy VPN and dynamic DNS please

Regards,

Naidu.

Giuseppe Larosa · ‎04-08-2010

Hello Naidu,

>> But there is no any static public IP.

A dynamic crypto map can be used for this with IPSec

! shared key between dynamic peers

crypto isakmp key !xxxyyhdddw! address 0.0.0.0 0.0.0.0

crypto dynamic-map VPN_DYN 10
set transform-set 3DES
match address 133
reverse-route
crypto dynamic-map VPN_DYN 20
description --- Dir. XX---
set transform-set 3DES
match address 146
reverse-route
crypto dynamic-map VPN_DYN 30
description --- Dir. YY---
set transform-set AES256
match address 117
reverse-route

the dynamic crypto map can be made of multiple blocks as shown above and then is invoked as last block in a regular crypto map:

! last block of peers with static IP address

crypto map VPN_MAP 1160 ipsec-isakmp
description --- Screening 2010 ---
set peer X.Y.146.105
set transform-set AES128
match address 121
reverse-route

! dynamic crypto invoked as last block
crypto map VPN_MAP 65000 ipsec-isakmp dynamic VPN_DYN
!

Hope to help

Giuseppe

Rate useful posts to help Haiti

Latchum Naidu · ‎04-08-2010

Hi Giuseppe,

Thanks for your response.

Shall I put the below configuration on 881G?

The other end at DC we have ASA5520.

Can you please explain me briefly how it will work as I am entirely new to this.

Regards,

Naidu.

Giuseppe Larosa · ‎04-08-2010

Hello Naidu,

sorry for confusion:

the config template is for the central site device

the 881G can use a static crypto map because public ip address of HQ device is fixed (key point)

note: this is not an Easy VPN configuration but a normal IPSec configuration where dynamic crypto map is used on HQ site to support peers with dynamic public IP address.

The configuration I've reported is in production on our network and allows to support multiple peers with dynamic IP address

Compare this with Easy VPN config examples that have been provided by Lei.

For Easy VPN between an ASA and a router you can also look at the config example

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

Hope to help

Giuseppe

Rate useful posts to help Haiti

Lei Tian · ‎04-08-2010

Hi Naidu,

This is right. On Easy VPN server, you donot need to specify your remote peer IP or hostname. See the configuration guide for Easy VPN server and Easy VPN remote

Server

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1191206

remote

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftezvpnr.html#wp1048417

HTH,

Lei Tian

Latchum Naidu · ‎04-09-2010

Hi Giuseppe,

I will follow this configuration and see how it will work and let you know the status.

Once again thank you so much for your guide.

Regards,

Naidu.