Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
4
Replies

Remote VPN Peer Dynamic IP

Go to solution
danielsormsby
Level 1
Level 1

‎12-15-2008 11:38 AM - edited ‎02-21-2020 03:10 AM

I'm transitioning from a Netscreen 50 to an ASA 5510. Trying to re-establish the few VPN tunnels that I have. On the old Netscreen, rather then using a IP address for the far end of the tunnel, it uses a "PeerID" (the other end of the tunnel gets it's IP address DHCP from comcast). Is this functionality available in ASDM? When I run the VPN Wizard, I don't see an option for it, only for IP address. Don't want to use an IP, because it can and does change often.

Thanks!

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-15-2008 12:11 PM

Daniel

Yes this functionality is available with the ASA, it is called dynamic crypto maps. Have a look at the following configuration guide and if you still have questions don't hesitate to come back -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1042880

Jon

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to danielsormsby

‎12-15-2008 02:31 PM

Daniel

With a dynamic crypto map the only "identifier" as such is the pre-shared key. With a dynamic crypto map any IP address can attempt a connection to the VPN device but obviously without the pre-shared key it will not authenticate and set up a tunnel.

Hence the security of the tunnel is even more reliant on the pre-shared key.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-15-2008 12:11 PM

Daniel

Yes this functionality is available with the ASA, it is called dynamic crypto maps. Have a look at the following configuration guide and if you still have questions don't hesitate to come back -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1042880

Jon

0 Helpful

Go to solution
danielsormsby
Level 1
Level 1
In response to Jon Marshall

‎12-15-2008 01:56 PM

Jon,

I think I understand what's going on here, except for one thing:

The crypto map (not dynamic) uses the peer ip address and pre-shared key to authenticate the peer. I have this for the peer:

(123 is my example peer IP Address)

crypto map Outside_map 20 set peer 123.123.123.123

what other identifier would I use with the dynamic crypto map to identify the peer (since I'm not going to use the IP)?

Thanks for your patience :)

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to danielsormsby

‎12-15-2008 02:31 PM

Daniel

With a dynamic crypto map the only "identifier" as such is the pre-shared key. With a dynamic crypto map any IP address can attempt a connection to the VPN device but obviously without the pre-shared key it will not authenticate and set up a tunnel.

Hence the security of the tunnel is even more reliant on the pre-shared key.

Jon

0 Helpful

Go to solution
danielsormsby
Level 1
Level 1
In response to Jon Marshall

‎12-15-2008 04:35 PM

Jon,

Well, I suppose that would make sense! As always, thanks for helping the newbie :)

--Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card