Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site to site vpn with dynamic ip on both sides

Hi, is it possible to configure site to site vpn with both sides has dynamic ip addresses assign?

both asa devices have the latest firmware.



Re: site to site vpn with dynamic ip on both sides

Certainly on a router you can tie your crypto-map to the "any" address ( Assuming you're using PSK, that means you'll accept any connection as long as the PSK and the crypto-map configuration matches. That would allow dynamic addressed routers to connect.

For the ASA, I'm not sure.

Sent from Cisco Technical Support iPad App

Hall of Fame Super Silver

site to site vpn with dynamic ip on both sides


I have thought about your question and wondered about the possibility of configuring the "any" option as suggested by Jeff. But after considering this I believe that there is a problem in this approach. While it is certainly a viable configuration and works quite well to accept a connection request from any other device, I believe that it is sort of like configuring to set up an Etherchannel. If you set both end as passive then they will both accept a connection request. But there is not anything set up to initiate the request. For this crypto configuration both peers will accept a connection request, but I do not see how you get either peer to initiate a connection request to the other.

I have not been able to think of a way to do what you want and to establish a site to site VPN when when peers are using dynamic addresses. The closest I have come is to use dynammic DNS and base the peering on names rather than addresses. But I can not remember seeing anything where someone has done it this way.