10-22-2008 01:59 AM - edited 03-09-2019 09:42 PM
Hi,
On a new network using a dynamic IP on the outside (WAN) I need to configure VPN access using an ASA5505. ASA5505 will connect to ftp server. This new network is isolated (standalone) from corporate network.
Can VPN work? Or do I need a fixed IP on the outside of ASA5505 (WAN port)?
Any thoughts?
10-22-2008 02:15 AM
You will be able to configure a VPN to connect to a "remote" network, but the "remote" network will HAVE to have a static IP address.
AFAIK - you cannot configure a VPN on a device that has a dynamic IP address for a site to site connection
if it is a remote VPn client connection, you could use DNS and DDNS for the profile name in the VPN client.
HTH>
10-22-2008 03:21 AM
Hi Andrew
"AFAIK - you cannot configure a VPN on a device that has a dynamic IP address for a site to site connection"
I may be misunderstanding the above but you can create a site-to-site VPN from a device with a dynamic IP address but it is less secure. Also at least one end would need a fixed IP. Basically you configure a dynamic crypto map entry and where you would configure the peer IP address you use 0.0.0.0 which means any remote peer can connect. Obviously the importance of the shared key/certificate then becomes even more significant.
If i have misunderstood just ignore me :)
Jon
10-22-2008 03:32 AM
Jon,
You are right of course - One end would have to have a static IP address, it's bascially just like a remote VPN client connecting, but it's actually a remote site.
In those cases - the need for security is paramount, and I have implemented IKE negotiation to the highest levels, with a 168 charecture PSK, with a low key lifetime.
So say using AES256, DH Group 5 and SHA - with a life time of 1 hour and PFS......if someone was able to capture the key negotiation then try and crack it - they would have to do it in one hour, before ALL keys are renegotiated.
Not fogetting the AES256 encryption - the strongest on the planet!
Andrew.
10-22-2008 04:21 AM
Maybe following document could be helpful
M.
10-22-2008 05:59 PM
Hi Guys & Gals,
Additional info.
It is a client-to-site vpn. We only limit 1 user per remote location and to one particular PC only. We have about 20 sites, and all these sites are using dynamic IP (due to low cost). Other than this forum, I have received mixed info from a number of people. Some said that I could set up a vpn access even if I have dynamic IP on the outside (WAN) of ASA5505. Some said I must have a fixed IP.
So to verify this, has anyone really configured vpn to work on ASA5505 using dynamic IP on the outside (WAN) of ASA5505? If yes, how was the setup?
If the dynamic IP works, and fixed IP only provide added security and nothing else, then my management would have to decide which to go for. fyi, the difference in broadband cost over here (dynamic vs fixed IP) is a whooping $5000 a month.
Any thoughts?
10-23-2008 12:15 AM
Eric,
Which ever way you dress it up it's like this:-
To communicate over the internet from point a to point b, you need an IP address or name.
The ASA5505 must either have a static IP, or a DHCP - but with DHCP you will need DDNS.
If you have a static IP address on the ASA5505 - cool, all remote VPN clients have the IP address statically configured. IF you have DHCP and DDNS, then the remote VPN clients will have the domain name as the end point.
HTH>
10-23-2008 12:33 AM
Hi Andrew,
Thank you.
Any idea if DDNS acn be enabled in ASA5505?
10-23-2008 12:36 AM
As a matter of fact it does, see the below config link for examples:-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html
HTH>
10-23-2008 12:52 AM
Hi Andrew,
If that is the case, all I need to do is register a dns name with a ddns provider, enable ddns in ASA5505, and I am done, isn't it?
10-23-2008 12:56 AM
In theory yes - that's all it requires.
10-23-2008 01:13 AM
Hi Andrew,
Many many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide