[c-nsp] Site to Site VPN using ASA and far end with dynamic peer
Eric Girard
egirard at focustsi.com
Fri Jan 7 15:55:29 EST 2011
Right. Sorry if I skipped over the dynamic map. I can't get a config right now, but I'm pretty sure all that is needed on the static side is the dynamic map/regular crypto map, the DefaultL2L tunnel group for PSK, and then the nat 0 ACL if desired. The unit with the dynamic IP will not look any different than a normal static to static tunnel setup.
-----Original Message-----
From: Scott Granados [mailto:scott at granados-llc.net]
Sent: Friday, January 07, 2011 1:50 PM
To: Eric Girard
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
If you had a config example that would be great.
My understanding though is you'd set up a dynamic map, use the default tunnel group an matching policy.
Makes sense.
On Jan 7, 2011, at 9:07 AM, Eric Girard wrote:
> Scott,
> At least as far as the tunnel group is concerned, your PSK goes into the built-in DefaultL2LGroup tunnel group. You still need to have the appropriate NAT exemptions if needed, but the interesting traffic on the core site is whatever the dynamic side asks for during tunnel setup. I dig out a working config with an ASA at the core and a PIX on the dynamic side if needed.
>
> Eric
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Maier
> Sent: Friday, January 07, 2011 11:48 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
>
> then you have to use a dynamic crypto map
>
> Am 07.01.2011 01:40, schrieb Scott Granados:
>> Actually, the branch is an old Pix.
>>
>> We also have an environment using a Juniper SRX so I'm not sure this is a good fit.
>>
>> Thanks
>> Scott
>>
>> On Jan 6, 2011, at 4:34 PM, schilling wrote:
>>
>>> You have ASA/IOS routers on the branch office, right?
>>>
>>> Cisco Easy VPN Remote Client might be what you are looking for. You
>>> can use client mode or network extension mode according to your need.
>>>
>>> http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html
>>>
>>> Schilling
>>>
>>> On Thu, Jan 6, 2011 at 6:46 PM, Scott Granados<scott at granados-llc.net> wrote:
>>>> Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:)
>>>>
>>>> Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP.
>>>>
>>>> What do you use instead of the target tunnel-group / peer address entry?
>>>>
>>>> Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work.
>>>>
>>>> Any pointers would be appreciated.
>>>>
>>>> Thanks
>>>> Scott
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list