Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Remote VPN Peer Dynamic IP

I'm transitioning from a Netscreen 50 to an ASA 5510. Trying to re-establish the few VPN tunnels that I have. On the old Netscreen, rather then using a IP address for the far end of the tunnel, it uses a "PeerID" (the other end of the tunnel gets it's IP address DHCP from comcast). Is this functionality available in ASDM? When I run the VPN Wizard, I don't see an option for it, only for IP address. Don't want to use an IP, because it can and does change often.

Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: Remote VPN Peer Dynamic IP

Daniel

Yes this functionality is available with the ASA, it is called dynamic crypto maps. Have a look at the following configuration guide and if you still have questions don't hesitate to come back -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1042880

Jon

Hall of Fame Super Blue

Re: Remote VPN Peer Dynamic IP

Daniel

With a dynamic crypto map the only "identifier" as such is the pre-shared key. With a dynamic crypto map any IP address can attempt a connection to the VPN device but obviously without the pre-shared key it will not authenticate and set up a tunnel.

Hence the security of the tunnel is even more reliant on the pre-shared key.

Jon

4 REPLIES
Hall of Fame Super Blue

Re: Remote VPN Peer Dynamic IP

Daniel

Yes this functionality is available with the ASA, it is called dynamic crypto maps. Have a look at the following configuration guide and if you still have questions don't hesitate to come back -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1042880

Jon

New Member

Re: Remote VPN Peer Dynamic IP

Jon,

I think I understand what's going on here, except for one thing:

The crypto map (not dynamic) uses the peer ip address and pre-shared key to authenticate the peer. I have this for the peer:

(123 is my example peer IP Address)

crypto map Outside_map 20 set peer 123.123.123.123

what other identifier would I use with the dynamic crypto map to identify the peer (since I'm not going to use the IP)?

Thanks for your patience :)

Hall of Fame Super Blue

Re: Remote VPN Peer Dynamic IP

Daniel

With a dynamic crypto map the only "identifier" as such is the pre-shared key. With a dynamic crypto map any IP address can attempt a connection to the VPN device but obviously without the pre-shared key it will not authenticate and set up a tunnel.

Hence the security of the tunnel is even more reliant on the pre-shared key.

Jon

New Member

Re: Remote VPN Peer Dynamic IP

Jon,

Well, I suppose that would make sense! As always, thanks for helping the newbie :)

--Dan

337
Views
0
Helpful
4
Replies
CreatePlease to create content