Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamic Site to Site Tunnel

What would need to be changed for this to be dynamic?

access-list 100 extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

access-list nonat extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map outside_map 20 match address 100

crypto map outside_map 20 set peer xx.xxx.xxx.101

crypto map outside_map 20 set transform-set myset

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group xx.xxx.xxx.101 type ipsec-l2l

tunnel-group xx.xxx.xxx.101 ipsec-attributes

pre-shared-key ciscorules

2 REPLIES
New Member

Re: Dynamic Site to Site Tunnel

Clarification:

ASA has a static IP

PIX has a dynamic IP

I need to create a site to site tunnel between them

Green

Re: Dynamic Site to Site Tunnel

On the ASA, use the DefaultL2LGroup, don't create a tunnel group with ip address of the pix, as it will change.

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

and...

access-list 100 extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

crypto dynamic-map dyn_map 10 match address 100

crypto dynamic-map dyn_map 10 set pfs

crypto dynamic-map dyn_map 10 set transform-set myset

crypto map outside_map 20 ipsec-isakmp dynamic dyn_map

141
Views
0
Helpful
2
Replies