Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Dynamic L2L between ASA 5505

Hello,

we're realizing a project with 5x ASA 5505 Base License and one 5512-X in a computing center. The 5 branches shall be work as dynamic sites, because they are all running on dynamic internet connection. I read, that on the main site (ASA 5512-X) the access from dynamic IPs must be permit, so that a IKE-Exchange and the IPsec tunnel can be established.

We all are new to Cisco ASA devices. I read a lot in "Cisco ASA configuration" written by Richard A. Deal and "Cisco ASA: All-in-one firewall.." written by Frahim & Santos. Everywhere only static L2L tunnels are discussed, but dyn. L2L scripts are missing.

I've done all the config with ASDM, but have read many CLI configurations also.

I got different failures in ASDM syslog, depending on which mode I choose.

I paste the conf. of both ASA 5505 (for test-tunnel). Later 5505 and 5512-X will be connected.

One comes with dynamic cryptomap and the other with static.

I will be grateful if someone could figured out what's the problem.

Greets,

Sascha

Config is attached.

Everyone's tags (5)
3 REPLIES
Super Bronze

Dynamic L2L between ASA 5505

Hi,

Here is one good document giving example of a configuration where you have a central site with Static public IP address and all the remote sites have Dynamic IP address from which they connect.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113573-sol-tunnels-groups.html

- Jouni

Community Member

Re: Dynamic L2L between ASA 5505

Hi JouniForss,

thanks for you're early reply.

I know this tutorial yet. I've tried it one time, but didn't work out. Maybe I made a mistake. I'll try it again.

When I configure dynamic tunnels, ADSM / CLI output says something like "dynamic l2l tunnels will fail if no cert. will be used and/or agressive mode is not used on peer". Sry, I don't got the message with me a.t.m.

1) Which mode do I have to use for tunnel build-up process? AM or MM? Do I really need to use AM?

Furthermore I'd rather prefer to use IKEv2, because tunnel build-up process shall work less fault-prone than IKEv1.
2) Is it the same procedure as IKEv1 or do I have to consider some special points?

EDIT:

3) What's about naming the tunnel-profiles / tunnel-groups? Is it necessary to match the tunnel-profile name? Does it has a consequence when writing the connection name in addition to the peer IP in connection profile on dynamic site?

Community Member

Re: Dynamic L2L between ASA 5505

Anyone other who can answer me these few questions?

244
Views
0
Helpful
3
Replies
CreatePlease to create content