cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
312
Views
0
Helpful
3
Replies

urgent-Site-Site VPN with ASA having Dynamic Peers

pranavam_dileep
Level 1
Level 1

hi all,

I got stuck in configuring Cisco ASA for site-site vpn with both peers having Dynamic IP.I cannot configure the peer identity as hostname through asdm.eg:abc.selfip.com . I checked in the NetPro also, but I didn't get any satisfactory explanation.This scenario is possible in some other devices like Sonicwall, where we can enter the peer identity as hostname at both sides.

Can someone help me on this issue.

3 Replies 3

i.va
Level 3
Level 3

Hi!

I'm sorry, but according to my knowlege this isn't possible with 2 Cisco ASA's with a dynamic IP on each side of the VPN. At least one side needs to have a static IP (the other side would connect with aggressive mode).

You could configure one side (e.g. called BR) as an EasyVPN Hardware Client, which connects to the other side (e.g. called HQ) via FQDN. You would need to run a DynDNS service at the HQ side (also not supported on the ASA).

However if the HQ IP changes, the DNS cache of the BR ASA still holds the old IP. The BR ASA would need to be rebooted for it to connect again in a reasonable amount of time. This was the case with ASA v7.2(4)...maybe the behavior is different with v8.2(1)

Site-to-Site VPNs work most reliable if both sides have static IP's.

hth

Ingo

andrew.prince
Level 10
Level 10

At least one end must know the IP of the remote end. You cannot use domains names without using certificates.

What you are trying to do is not possible.

HTH>

hi,

can I establish site-site by creating certificates of domain names.If so how can I do that.

regards

dileep

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: