Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa to netscreen with dynamic IP

Hi, has anyone set up a l2l vpn to a netscreen 5xp which uses a dynamic address? we are using one with a dynamic cryto map configured on the pix and aggressive mode on the netscreen, the pix is trying to authenticate the netscreen against the defaultRAGroup not the group set up for this connection. I have seen a similar problem posted here but with no solution other than getting the client to use a static IP. Here are the relevant config bits, thanks in advance.

tunnel-group netscreen type ipsec-l2l

tunnel-group netscreen ipsec-attributes

pre-shared-key *

crypto dynamic-map L2LDYN-MAP 10 match address IPSEC-netscreen

crypto dynamic-map L2LDYN-MAP 10 set pfs

crypto dynamic-map L2LDYN-MAP 10 set transform-set DYN-SET

crypto dynamic-map L2LDYN-MAP 10 set security-association lifetime seconds 3600

crypto ipsec transform-set DYN-SET esp-3des esp-sha-hmac

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

CreatePlease to create content