Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Dynamic VPN and static routes

I am running an ASA with 8.4(3) and am trying to setup a dynamic VPN tunnel.  We are having a business reason to establish a VPN tunnel to customers who do not have nailed down IP addresses.  Now I found a number of documents that outline the steps involved.  It seems the basic steps were to

  1. Establish a regular tunnel
  2. Add dynamic crypto map
  3. Assign the dynamic crypto map to the tunnel created under step 1.

While this sounds pretty straight forward and simple, while prepping for doing just this I hot a road block while thinking it through. In order for my ASA to put anything into the tunnel it has to have a route to the remote network pointing at my VPN peer at the  end of the tunnel.  How do I do this in a dynamic tunnel?  How do I add a dynamic route so the ASA knows which tunnel to stuff the traffic into?  How do I stop the traffic from just being send to the Internet?



Everyone's tags (3)
Cisco Employee

ASA Dynamic VPN and static routes


Dynamic crypto maps can only act as a responder.

Dynamic crypto map entries can have match statments to differentiate which traffic should be pushed.

Initiators that fall under dynamic crypto map can "force" what traffic to push through this particular peer (unless otherwise constrained).

I.e. once the remote end (with dynamic IP) intiates IKE negotiation and the tunnel establishes there will be a binding between which traffic to send and the endpoint IP address(es).