09-09-2009 07:28 AM - edited 03-11-2019 09:13 AM
Hello,
I have a VPN that will connect using one of 3 public IP addresses, is it possibel to setup a VPN like this? Normally I setup VPN's with a peer having a single static IP not a pool of IP's?
Thanks
09-10-2009 06:13 AM
Andrew,
Sorry I'm confused (does take much does it)
I simply tried to add:
crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac
crypto dynamic-map cisco 1 set transform-set dynset1
crypto map dyn-map 1 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto map dyn-map 1 set pfs group 5
09-10-2009 06:24 AM
;) no issues
Here is the thing, you can only have ONE crypto map configured on ONE interface at any one time.
Soooooo if you already have a crypto map configured and attached to the outside interface - then you just amend it, giving your dynamic crypto map and higher sequence number; hope this clears it up.
If not - see an example of one of my crypto maps:-
crypto ipsec transform-set ESP-3DES-SHA1
crypto dynamic-map dyno-map 10 set transform-set ESP-3DES-SHA1
crypto map vpntunnel-outside 1 match address vpn1
crypto map vpntunnel-outside 1 set peer 1.1.1.1
crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1
crypto map vpntunnel-outside 26 match address vpn2
crypto map vpntunnel-outside 26 set peer 2.2.2.2
crypto map vpntunnel-outside 26 set transform-set ESP-3DES-SHA1
crypto map vpntunnel-outside 60 match address vpn3
crypto map vpntunnel-outside 60 set peer 3.3.3.3
crypto map vpntunnel-outside 60 set transform-set ESP-3DES-SHA1
crypto map vpntunnel-outside 65535 ipsec-isakmp dynamic dyno-map
crypto map vpntunnel-outside interface outside
HTH>
09-10-2009 06:54 AM
I think I do. All my VPN's went down, when I compared the config with last night, I soon realised I had to add back:
"crypto map outside_map interface outside"
so when I added
"crypto map dyn-map interface outside"
bang! They all went down
If I get it I must leave "crypto map outside_map interface outside" as it is?
based on my example in the previous post how should that look? That way it shoudl click for me.
Thanks again Andrew.
09-10-2009 06:57 AM
Post your current config, remove sensitive info
09-11-2009 02:27 AM
09-11-2009 06:02 AM
Well from your config - you already have config for dynamic maps, so just add the below and it should work ok:-
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
default-group-policy AW-L2L
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key <>
HTH>
09-11-2009 06:18 AM
Thanks I take it I can call the "DefaultL2LGroup" anything?
Also to remove this if I have to I can just use:
no tunnel-group DefaultL2LGroup type ipsec-l2l
no tunnel-group DefaultL2LGroup general-attributes
no default-group-policy AW-L2L no
tunnel-group DefaultL2LGroup ipsec-attributes
no pre-shared-key <>
09-11-2009 06:52 AM
Nope - it has to be the same name, as this is the "default" for all unkown VPN's - as you cannot create a specific tunnel group, as you don't know the IP address of the source.
09-11-2009 06:56 AM
I understand that part, I'm just not sure where you got "DefaultL2LGroup" from, whether it is a system default "word" itself or you made up this?
I was thinking of just copying you code into my ASA tomorrow (out of hours) and testing?
09-11-2009 07:05 AM
It's the system default!
Sounds like a plan.
09-11-2009 07:09 AM
Great stuff!
I will try adding just those 4 lines tomorrow and let you know how it goes.
1.) The great thing now is (well tomorrow) I can setup VPN's without knowing the customers IP address. I guess as long as the pre-shared key, and the IKE and IPsec phases match then I should be ok? Although I will use the IP if they have knowledge of it.
2.) Is having a dynamic VPN quite common?
09-11-2009 07:15 AM
OK - cool
1) Yep - makes things a little easier
2) Yes - as most buisness ADSL prices are still quite high (in the UK at least) and bundling a static IP on top, increases the cost. I have seen a sharp increase in dynamic VPN's. It also makes bringing a new remote site on-line much easier....just pre-configure the pix/asa and send out!!
09-11-2009 07:34 AM
Nice.
If I decide to turn this dynamic feature off, how would I achieve this?
09-11-2009 07:46 AM
c'mon mate - you either remove the whole DefaultL2LGroup config or change the psk
09-11-2009 07:54 AM
Thanks, sorry for the simple questions.
I'm only a CCNA, forced in to the ASA world. Hopefully some training soon.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: