• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1804
  • Last Modified:

Dynamic to Static Tunnel

I have a situation where my company has a site to site VPN with static addresses on both sides. The Vice President has just had an ASA device set up at his home and he has a Dynamic IP address through his ISP. I need to know how to set up the ASA device to automatically discover the new IP address and use it to keep the VPN tunnel open. I have heard that you can set an ASA to use a DYNDNS record instead of a Static IP. Can you please help me.
0
dallasgrp
Asked:
dallasgrp
  • 2
1 Solution
 
alikaz3Commented:
are you familiar with dyndns? dyndns.com for more information

here's a quick rundown:
install dyndns on a server computer at the VPs home, it will monitor the WAN IP address, and when it changes, will update your dyndns name by contacting the server. Then on your office vpns, enter the dyndns name instead of the ip (example.dyndns.com).
0
 
dallasgrpAuthor Commented:
what is the exact line of code for the DYNDNS entry. I tried crypto map VPN 1 set peer abc.dyndns.org and it didn't work :o(
0
 
dallasgrpAuthor Commented:
I ended up calling Cisco TAC. The DYNDNS record "was" supported on the PIX where they had a ton of trouble with it. In the ASA they have removed the ability to use DYNDNS records altogether. Per Cisco (I have no idea if thats true or not)

Anyways I am including the code and steps to set up a Dynamic and Static VPN tunnels to possibly help others:

***********************************
Steps to Create a Static VPN
***********************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) access-list VPN extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
9) crypto map VPN 1 set peer A.B.C.D  (Remote IP)(ISP Specified)
10) crypto map VPN 1 set transform-set ESP-3DES-SHA
11) crypto map VPN 1 match address VPN
12) crypto map VPN interface outside
13) crypto isakmp enable outside
14) crypto isakmp nat-transparency(Optional)
15) tunnel-group 24.52.75.1(Remote IP) type ipsec-l2l
16) tunnel-group 24.52.75.1(Remote IP) ipsec-attributes
17) pre-shared-key cisco123
18) access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
19) nat (inside) 0 access-list nonat

Reverse all statements on the other side as needed.



**************************************
Steps to Create a Dynamic VPN
**************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) tunnel-group DefaultL2LGroup ipsec-attributes
14) pre-shared-key cisco123
15) access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
16) nat (inside) 0 access-list nonat

This would be the configuration that you would put on the Static IP firewall. On the Dynamic IP firewall you would use the static config above. The idea here is that when the Dynamic IP firewall calls out to the Static via the IP you hard code in the dynamic IP firewalls config, The Dynamic IP side tells the Static IP side this is "my IP address" once the Static Side has this information it will use it to open up the tunnel. When an IP changes on the Dynamic side it will once again call out to the Static IP firewall and say this is "my new IP address"

***********************************************
VPN hardware to VPN software tunnel (Group name, Group password, PCF file, etc)
**********************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) group-policy REMOTE internal
14) group-policy REMOTE attributes
15) vpn-tunnel-protocol ipsec
16) split-tunnel-policy ****tunnelall(No Internet) or tunnelspecified(Internet)***
17) access-list split extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
18) split-tunnel-network value split
19) ip local pool VPN 192.168.100.1-192.168.100.254 mask 255.255.255.0
20) tunnel-group REMOTE type ipsec-ra
21) tunnel-group REMOTE general-attributes
22) default-group-policy REMOTE
23) address-pool VPN
24) authentication-server-group (LOCAL or RADIUS) (Optional)
25) username cisco password cisco
26) tunnel-group REMOTE ipsec-attributes
27) pre-shared-key cisco123

This is how you set up a VPN group that would be used with the Cisco VPN client
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now