Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

one peer has dynamic IP - Site to site VPN - ASA5540

I need to configure site to site VPN. One of the peer has dynamic IP. The hostname of the peer is qpmmoroc.dyndns.org. I am able to ping this from the firewall but how do i configure the perr using hostname

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: one peer has dynamic IP - Site to site VPN - ASA5540

Unfortunately not a supported configuration. You would need to configure dynamic to static LAN-to-LAN tunnel as per the following sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

VPN tunnel can only be initiated from the dynamic end.

Cisco Employee

Re: one peer has dynamic IP - Site to site VPN - ASA5540

Make sure you have NAT exemption configured between the 2 subnets.

11 REPLIES
Cisco Employee

Re: one peer has dynamic IP - Site to site VPN - ASA5540

Unfortunately not a supported configuration. You would need to configure dynamic to static LAN-to-LAN tunnel as per the following sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

VPN tunnel can only be initiated from the dynamic end.

New Member

Re: one peer has dynamic IP - Site to site VPN - ASA5540

HI, I have 2 questions

is this mpossile in a multisite scenario ?

Dont we have to call any access list in the main site which has static IP ?

Cisco Employee

Re: one peer has dynamic IP - Site to site VPN - ASA5540

1) You can have multiple dynamic sites connecting to static site.

2) If it's dynamic, you don't have to configure access-list, you would need to use dynamic-map

New Member

Re: one peer has dynamic IP - Site to site VPN - ASA5540

the tunnel actually got established but was facing a problem with traffic forwarding.

Moreover i am also not able to put the following command in remote asa

crypto map newmap 10 ipsec-isakmp

Can u pls help me further

Cisco Employee

Re: one peer has dynamic IP - Site to site VPN - ASA5540

What do you mean by you can't put the command: crypto map newmap 10 ipsec-isakmp

Can you share the config? and also the output of what you tried to configure.

New Member

Re: one peer has dynamic IP - Site to site VPN - ASA5540

hi,

i have established the tunnel

Out of 2 sites one site is working with out any issues

the other site tunnel is been formed but i am not able to ping any interested traffic.

Wat and all i need to check

Cisco Employee

Re: one peer has dynamic IP - Site to site VPN - ASA5540

Make sure the third site's LAN does not overlap with the other sites' LAN.

Is this the dynamic peer? So you are seeing Phase 1 - QM_IDLE, and can you share the output of "show crypto ipsec sa peer "

New Member

Re: one peer has dynamic IP - Site to site VPN - ASA5540

I have changed the ip addresses. Pls dont mind

sh crypto ipsec sa peer 1.1.1.1

peer address: 1.1.1.1
    Crypto map tag: cisco, seq num: 20, local addr: 2.2.2.2

      local ident (addr/mask/prot/port): (10.3.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
      #pkts decaps: 194, #pkts decrypt: 194, #pkts verify: 194
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 18, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2 /4500, remote crypto endpt.: 1.1.1.1/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 9738032C

    inbound esp sas:
      spi: 0x2E96F8B6 (781646006)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 167936, crypto-map: cisco
         sa timing: remaining key lifetime (kB/sec): (4373981/28746)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x9738032C (2537030444)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 167936, crypto-map: cisco
         sa timing: remaining key lifetime (kB/sec): (4373992/28742)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

New Member

Re: one peer has dynamic IP - Site to site VPN - ASA5540

and the peer 1.1.1.1 is the dynamic peer. I dont see any idle messages

Cisco Employee

Re: one peer has dynamic IP - Site to site VPN - ASA5540

Make sure you have NAT exemption configured between the 2 subnets.

New Member

Re: one peer has dynamic IP - Site to site VPN - ASA5540

thanks it is working now

2188
Views
0
Helpful
11
Replies
CreatePlease login to create content