Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.3 Static - Dynamic L2L

Hi,

We currently have a Hub - Spoke setup with many static-to-static lan-to-lan vpn tunnels configured.

I have been asked to set up a vpn from the hub to a remote site which uses dhcp to obtain its peer address.

I have searched for an answer to this, but everything I have found shows the dynamic map being applied to the outside interface.

The normal map is currently applied to it, and I don't think multiples are allowed?  I can't test, as its a working environment.

So my query is, how do I add this config without affecting any of the current connections?

Alternately, is there any way to configure the phase 1 isakmp identity as "hostname" for this one particular connection (all others use "address") and get them to use a dyndns config?

  • VPN
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

ASA 8.3 Static - Dynamic L2L

That config should be ok. Perhaps you need to extend it further with a group-policy depending on your needs (VPN-Filter or so ...).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
3 REPLIES
VIP Purple

ASA 8.3 Static - Dynamic L2L

The VPN has to be initiated from the device with the dynamic IP. The ASA can not use an FQDN as the peer (the IOS-router can). The dynamic crypto map is not attached to the interface. It's attached to the static crypto-map with a sequence that has to be higher then all sequence-numbers used for site-to-site connections.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ASA 8.3 Static - Dynamic L2L

Any chance of an example config? Is the below enough?

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key TESTKEY

crypto dynamic-map DMAP1 500 set transform-set MYSET

crypto map REMSITE 500 ipsec-isakmp dynamic DMAP1

VIP Purple

ASA 8.3 Static - Dynamic L2L

That config should be ok. Perhaps you need to extend it further with a group-policy depending on your needs (VPN-Filter or so ...).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
176
Views
0
Helpful
3
Replies