Solved

Dynamic to Static Tunnel

Posted on 2008-10-15
3
1,785 Views
Last Modified: 2012-08-13
I have a situation where my company has a site to site VPN with static addresses on both sides. The Vice President has just had an ASA device set up at his home and he has a Dynamic IP address through his ISP. I need to know how to set up the ASA device to automatically discover the new IP address and use it to keep the VPN tunnel open. I have heard that you can set an ASA to use a DYNDNS record instead of a Static IP. Can you please help me.
0
Comment
Question by:dallasgrp
  • 2
3 Comments
 
LVL 12

Expert Comment

by:alikaz3
ID: 22725553
are you familiar with dyndns? dyndns.com for more information

here's a quick rundown:
install dyndns on a server computer at the VPs home, it will monitor the WAN IP address, and when it changes, will update your dyndns name by contacting the server. Then on your office vpns, enter the dyndns name instead of the ip (example.dyndns.com).
0
 
LVL 1

Author Comment

by:dallasgrp
ID: 22762460
what is the exact line of code for the DYNDNS entry. I tried crypto map VPN 1 set peer abc.dyndns.org and it didn't work :o(
0
 
LVL 1

Accepted Solution

by:
dallasgrp earned 0 total points
ID: 22840910
I ended up calling Cisco TAC. The DYNDNS record "was" supported on the PIX where they had a ton of trouble with it. In the ASA they have removed the ability to use DYNDNS records altogether. Per Cisco (I have no idea if thats true or not)

Anyways I am including the code and steps to set up a Dynamic and Static VPN tunnels to possibly help others:

***********************************
Steps to Create a Static VPN
***********************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) access-list VPN extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
9) crypto map VPN 1 set peer A.B.C.D  (Remote IP)(ISP Specified)
10) crypto map VPN 1 set transform-set ESP-3DES-SHA
11) crypto map VPN 1 match address VPN
12) crypto map VPN interface outside
13) crypto isakmp enable outside
14) crypto isakmp nat-transparency(Optional)
15) tunnel-group 24.52.75.1(Remote IP) type ipsec-l2l
16) tunnel-group 24.52.75.1(Remote IP) ipsec-attributes
17) pre-shared-key cisco123
18) access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
19) nat (inside) 0 access-list nonat

Reverse all statements on the other side as needed.



**************************************
Steps to Create a Dynamic VPN
**************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) tunnel-group DefaultL2LGroup ipsec-attributes
14) pre-shared-key cisco123
15) access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
16) nat (inside) 0 access-list nonat

This would be the configuration that you would put on the Static IP firewall. On the Dynamic IP firewall you would use the static config above. The idea here is that when the Dynamic IP firewall calls out to the Static via the IP you hard code in the dynamic IP firewalls config, The Dynamic IP side tells the Static IP side this is "my IP address" once the Static Side has this information it will use it to open up the tunnel. When an IP changes on the Dynamic side it will once again call out to the Static IP firewall and say this is "my new IP address"

***********************************************
VPN hardware to VPN software tunnel (Group name, Group password, PCF file, etc)
**********************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) group-policy REMOTE internal
14) group-policy REMOTE attributes
15) vpn-tunnel-protocol ipsec
16) split-tunnel-policy ****tunnelall(No Internet) or tunnelspecified(Internet)***
17) access-list split extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
18) split-tunnel-network value split
19) ip local pool VPN 192.168.100.1-192.168.100.254 mask 255.255.255.0
20) tunnel-group REMOTE type ipsec-ra
21) tunnel-group REMOTE general-attributes
22) default-group-policy REMOTE
23) address-pool VPN
24) authentication-server-group (LOCAL or RADIUS) (Optional)
25) username cisco password cisco
26) tunnel-group REMOTE ipsec-attributes
27) pre-shared-key cisco123

This is how you set up a VPN group that would be used with the Cisco VPN client
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question