Link to home
Start Free TrialLog in
Avatar of Steve B
Steve BFlag for United States of America

asked on

Cisco ASA 5505 site-site VPN when other site has dynamic IP?

I am trying to set up a site-site VPN between two sites. The Cisco ASA 5505 has a static public IP and the site with an Adtran router has a dynamic IP on the public interface. I have successfully gotten site-site working in other scenarios when both are static, but I have never done one where the initiating site is dynamic. How do you configure this on the ASA? I first tried using the VPN wizard in the ASDM and putting 0.0.0.0 in for the Peer IP address, but it would not accept that.  I also tried to set the peer address to 0.0.0.0 in the command line and it took it but it doesn't appear in the config.

I have attached a config of the Cisco.  I had a VPN configured at one point, but I took it out.  All I really have right now is a VPN setup for Cisco VPN client. I am looking for a way to set up this site-site VPN so the ASA will accept a dynamic IP to start the negotiation.

Is there a proper procedure to configure this? I understand you can possibly do it with Cisco EasyVPN, but I would like to avoid using that if at all possible.

Thanks.


* EDIT by modus_in_rebus (2009/08/07) * masked IP addresses
: Saved
:
ASA Version 7.2(2) 
!
hostname technicom-asa
domain-name technicom.local
enable password K/BDjqgFJ3PSsZao encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.202 255.255.255.0 
!
interface Vlan11
 nameif outside
 security-level 0
 ip address X.X.X.58 255.255.252.0 
!
interface Ethernet0/0
 switchport access vlan 11
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
!
passwd K/BDjqgFJ3PSsZao encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name technicom.local
access-list remotevpn_splitTunnelAcl standard permit any 
access-list inside_nat0_outbound extended permit ip any Y.Y.0.0 255.255.255.240 
access-list inbound extended permit tcp any host X.X.X.58 eq smtp 
access-list inbound extended permit tcp any host X.X.X.58 eq https 
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 Y.Y.0.0 255.255.255.240 
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 
access-list outside_20_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging from-address asa@technicom-iowa.com
logging recipient-address rfrett@technicom-iowa.com level errors
logging rate-limit 1 600 level 0
mtu inside 1500
mtu outside 1500
ip local pool remote Y.Y.0.1-Y.Y.0.10 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https 10.0.0.2 https netmask 255.255.255.255 
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy remotevpn internal
group-policy remotevpn attributes
 wins-server value 10.0.0.2
 dns-server value 10.0.0.2
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remotevpn_splitTunnelAcl
username remotevpn password a9ya7lahJlZYMpkS encrypted privilege 0
username remotevpn attributes
 vpn-group-policy remotevpn
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 28800
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
 address-pool remote
 default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
smtp-server 10.0.0.2
prompt hostname context 
Cryptochecksum:7ff0e2e3b49b539b9fdddb383f9aa8c5
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

Open in new window

Avatar of debuggerau
debuggerau
Flag of Australia image

this may help:
https://www.myciscocommunity.com/docs/DOC-2378

did you use 0.0.0.0 and mask 0.0.0.0 ?

I thought the only way was Cisco EasyVPN too...
ASKER CERTIFIED SOLUTION
Avatar of geergon
geergon
Flag of Costa Rica image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial