Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to site tunnel on asa 5512 and rv042

HI,

I have cisco ASA 5512-x at head office location and cisco RV042 at sub locations.

There are 9 sub location.

Head office has Public static is but branches does not have static IP.

So i need suggestion, is it possible to make tunnel (dynamic vpn) in between asa and rv042 by using single ip?

2 REPLIES

Hello Chandrakant,

Hello Chandrakant,

On this case since the ASA have the Static IP address, you will need to configure it dynamically and on the Rv042 appliances you will need to configure it statically, so on the ASA you will need to configure the following:

  1. Configure a NO-NAT/ NAT-EXEMPT rule for VPN traffic(for the 9 sites basically) as this example shows:
    object network 10.1.1.0-remote_network
    subnet 10.1.1.0 255.255.255.0

    object network 10.1.2.0-inside_network
     subnet 10.1.2.0 255.255.255.0

    nat (inside,outside) source static 10.1.2.0-inside_network 10.1.2.0-inside_network
    destination static 10.1.1.0-remote_network 10.1.1.0-remote_network
    no-proxy-arp route-lookup
    1. Configure the preshared key under DefaultL2LGroup in order to authenticate any remote Dynamic-L2L-peer(all of the other 9 peers should have this same pre-shared key):
      tunnel-group DefaultL2LGroup ipsec-attributes
       ikev1 pre-shared-key cisco123
    2. Define the phase-2/ISAKMP policy:
      crypto ikev1 policy 10
       authentication pre-share
       encryption aes-256
       hash sha
       group 2
       lifetime 86400
    3. Define the phase-2 transform set/IPsec policy:
      crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac   
    4. Configure the dynamic map with these parameters:
      • Required transform-set
      • Enable Reverse Route Injection (RRI), which allows the Security Appliance to learn routing information for connected clients (Optional)
      crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set tset
      crypto dynamic-map outside_dyn_map 1 set reverse-route
    5. Bind the dynamic map to the crypto map, apply the crypto map and enable ISAKMP/IKEv1 on the outside interface:
      crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

      crypto map outside_map interface outside 
      crypto ikev1 enable outside

The RV04 appliances need to be configured as a normal site to site specifying the Peer IP address, interesting traffic, phase 1 and phase 2 encryption algorithms, and the pre-shared key.

Please proceed to rate and mark as correct this ports, if it helped you! keep me posted!

Regards,

David Castro,

Hello Chandrakant,

Hello Chandrakant,

Did this help you? Do you have any updated? If this worked out for you, can you mark the post as the correct one and rate it?

Keep me posted!

David Castro,

87
Views
5
Helpful
2
Replies