we have ASA 5540 at our main office and we established a site to site vpn with several small offices( small offices have pix 506 and asa 5505) at different places which are connected through cable modems and cable modems pull dynamic ips from cmts.On few of the firewalls at office we assigned a static because when ever cable modem pulls a new ip... we need to change the ip on main ASA 5540 in our office to bring the tunnel up . Is there any other way through which ASA learns the ip by itself and we dont need to manually change the IP on the ASA.
For the PIXs meaning the remote sites that have dynamic DHCP in their outside interfaces you need to configure them as regular L2L and specify the Peer address which is the HQ ASA applience that do have static for the outside interface.
For the HQ side the crypto map type would be dynamic-map as seen in the example link for LION HQ firewall that is the static side, and the pre-share key you can use the default tunnel group the asa already have DefaultL2LGroup that pre-share key will be used for remote sites to authenticate
the tunnel, PLS try attempting to configure it, pay also attention to the nat exempt access-list 100 seen in the example to permit source and destination networks and apply the access list in nat statement
nat (inside) 0 access-list 100 , and make sure transform sets are identical at both ends . Again make an attempt to configure the tunnel with your first remote site and have that remote side initiate traffic to bring up the tunnel, if tunnel does not come up come back to help you out.
I quote from the link above .
This would be the HQ side for dynamic settings
crypto dynamic-map cisco 1 set transform-set myset
No problem, PLS let me know the progress, I would suggest starting with the PIX506 site first which will be mush easy. When the PIX side initiate the tunnel and there is not connection issue at remote site PIX or HQ site ASA show crypto isakmp sa, if you see QM_IDLE tunnel would be up but if source hosts cannot connect to dest hosts in HQ we will take a look at the nonat access-lists at both ends.
Would the tunnel come up by itself even after the pix at office pulls another Ip or after it pulls another ip do we have to clear ipsec and isakmp sessions to bring tunnel up ?
If this would happen on the PIX side then you need to send interesting traffic from the remote side to bring up the tunnel backup , interesting traffic could be a PING or RDP that generates traffic that will go through the tunnel, remember the HQ is dynamic and will accept the connection on a new IP from the DHCP side as long secret keys or any other config pertaining to the IPsec policy is NOT changed at either end.
Usually on the dynamic DHCP side may pick a new IP if pix is rebooted or the lease time the ISP provider has it set for certain time/dates. If Im not mistaken DHCP leases last quite a while but all depends on ISPs.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :