one peer has dynamic IP - Site to site VPN - ASA5540

Answered Question
Apr 10th, 2010
User Badges:

I need to configure site to site VPN. One of the peer has dynamic IP. The hostname of the peer is qpmmoroc.dyndns.org. I am able to ping this from the firewall but how do i configure the perr using hostname

Correct Answer by Jennifer Halim about 7 years 1 month ago

Make sure you have NAT exemption configured between the 2 subnets.

Correct Answer by Jennifer Halim about 7 years 1 month ago

Unfortunately not a supported configuration. You would need to configure dynamic to static LAN-to-LAN tunnel as per the following sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml


VPN tunnel can only be initiated from the dynamic end.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
QPM277111 Sun, 04/11/2010 - 22:43
User Badges:

HI, I have 2 questions


is this mpossile in a multisite scenario ?


Dont we have to call any access list in the main site which has static IP ?

Jennifer Halim Mon, 04/12/2010 - 02:32
User Badges:
  • Cisco Employee,

1) You can have multiple dynamic sites connecting to static site.

2) If it's dynamic, you don't have to configure access-list, you would need to use dynamic-map

QPM277111 Mon, 04/12/2010 - 02:51
User Badges:

the tunnel actually got established but was facing a problem with traffic forwarding.


Moreover i am also not able to put the following command in remote asa


crypto map newmap 10 ipsec-isakmp


Can u pls help me further

Jennifer Halim Mon, 04/12/2010 - 02:54
User Badges:
  • Cisco Employee,

What do you mean by you can't put the command: crypto map newmap 10 ipsec-isakmp


Can you share the config? and also the output of what you tried to configure.

QPM277111 Mon, 04/12/2010 - 05:37
User Badges:

hi,


i have established the tunnel


Out of 2 sites one site is working with out any issues


the other site tunnel is been formed but i am not able to ping any interested traffic.


Wat and all i need to check

Jennifer Halim Mon, 04/12/2010 - 05:50
User Badges:
  • Cisco Employee,

Make sure the third site's LAN does not overlap with the other sites' LAN.

Is this the dynamic peer? So you are seeing Phase 1 - QM_IDLE, and can you share the output of "show crypto ipsec sa peer "

QPM277111 Mon, 04/12/2010 - 05:53
User Badges:

I have changed the ip addresses. Pls dont mind



sh crypto ipsec sa peer 1.1.1.1


peer address: 1.1.1.1
    Crypto map tag: cisco, seq num: 20, local addr: 2.2.2.2

      local ident (addr/mask/prot/port): (10.3.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
      #pkts decaps: 194, #pkts decrypt: 194, #pkts verify: 194
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 18, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2 /4500, remote crypto endpt.: 1.1.1.1/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 9738032C

    inbound esp sas:
      spi: 0x2E96F8B6 (781646006)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 167936, crypto-map: cisco
         sa timing: remaining key lifetime (kB/sec): (4373981/28746)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x9738032C (2537030444)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 167936, crypto-map: cisco
         sa timing: remaining key lifetime (kB/sec): (4373992/28742)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

QPM277111 Mon, 04/12/2010 - 05:55
User Badges:

and the peer 1.1.1.1 is the dynamic peer. I dont see any idle messages

Correct Answer
Jennifer Halim Mon, 04/12/2010 - 06:00
User Badges:
  • Cisco Employee,

Make sure you have NAT exemption configured between the 2 subnets.

Actions

This Discussion