Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Dynamic L2L on ASA 8.3.

Hi just had a quick question.

Lets say I have a cisco ASA(running 8.3) and a cisco router( which supports IPSEC vpn)  and the ASA has a static internet address, whilst the router has a dynamic.

If I create a L2L IPSec tunnel between the two how would this work?

Could I use a solution such as dynamic dns and then use that DNS name as the Tunnel Group name and the ASA will do a DNS lookup to see if it matches any phase 1 packets from a peer matching that ip? I think this is unlikely but I believe it can be done on some cisco routers?

or does the ASA accept all connections from any peer address like it does with a RA tunnel? Which is what I think it does.

thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Dynamic L2L on ASA 8.3.

Marcos,

This should got o VPN rather then firewalling.

I would suggest to use certificates + dynamic map in this case. Same way you would to in case of two routers.

You can match the certifcate to a particular tunnel group (by OU) or tunnel group matching + certificate maps.

You can apply match on dynamid crypto map to match the proxy identities.

For DNS resolution - it has not been implmeneted:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsc74898

Marcin

edit; Added enhancements and clarifications.

2 REPLIES
Cisco Employee

Re: Dynamic L2L on ASA 8.3.

Marcos,

This should got o VPN rather then firewalling.

I would suggest to use certificates + dynamic map in this case. Same way you would to in case of two routers.

You can match the certifcate to a particular tunnel group (by OU) or tunnel group matching + certificate maps.

You can apply match on dynamid crypto map to match the proxy identities.

For DNS resolution - it has not been implmeneted:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsc74898

Marcin

edit; Added enhancements and clarifications.

Re: Dynamic L2L on ASA 8.3.

Thank you.

That was exactly what I was after. I will ensure I put any VPN related questions in the VPN section in the furture.

cheers.

512
Views
0
Helpful
2
Replies
CreatePlease to create content