Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA L2L VPN Dynamic Peers Both Ends

Hi all,

I have some ASA Site-to-Site (L2L ikev2) VPN deployments that are using A Dyanic-to-Static Peer configuration.  Now I have a special case where I cannot get a static IP for either end and have been researching for a solution to connect L2L with Dynamic-to-Dynamic peers.  My research is not really turning up anything and now I am thinking that the ASA may not be capable of this configuration.   Can anyone confirm that this is or is not possible?

My hardware is ASA 5505 running 9.1.4.

Thanks!

Shelby

4 REPLIES
New Member

Are you talking about using

Are you talking about using some sort of dyndns?

How would the two devices find each other?

New Member

This will not be possible.

This will not be possible. You will need at least one static IP address so that at least one end of the tunnel can be configured with an IP address to connect back to. If they are both dynamic then you have no way to tell either ASA where the far end of the tunnel is located.

Hope that helps.

VIP Purple

As already mentioned, you can

As already mentioned, you can't do that with the ASA. But with IOS-routers there are two possible ways to achieve that:

  1. In the crypto map "set peer" you can use a (dyndns) FQDN that only gets reloved to an IP when the connection gets initiated. If you have sites that change the public IP regularly (for example once a day), this solution won't be very stable.
  2. You can use a VPN-type that can resolve IPs for spoke-to-spoke trafic dynamically. DMVPN and FlexVPN are technologies for that. You just need one site with a fixed IP where all dynamically addressed sites can register. All these sites can resolve the dynamic peer addrssses later with the help of the static hub and initiate spoke-to-spoke communication.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks all.  I was searching

Thanks all.  I was searching for a solution using FQDN, but only have ASA as a choice.  Just wanted to be sure that this was not possible on ASA prior to seeking alternate solution and hardware.

 

Thanks again for the confirmation! 

130
Views
0
Helpful
4
Replies