Solved

Dynamic to Static Tunnel

Posted on 2008-10-15
3
1,778 Views
Last Modified: 2012-08-13
I have a situation where my company has a site to site VPN with static addresses on both sides. The Vice President has just had an ASA device set up at his home and he has a Dynamic IP address through his ISP. I need to know how to set up the ASA device to automatically discover the new IP address and use it to keep the VPN tunnel open. I have heard that you can set an ASA to use a DYNDNS record instead of a Static IP. Can you please help me.
0
Comment
Question by:dallasgrp
  • 2
3 Comments
 
LVL 12

Expert Comment

by:alikaz3
ID: 22725553
are you familiar with dyndns? dyndns.com for more information

here's a quick rundown:
install dyndns on a server computer at the VPs home, it will monitor the WAN IP address, and when it changes, will update your dyndns name by contacting the server. Then on your office vpns, enter the dyndns name instead of the ip (example.dyndns.com).
0
 
LVL 1

Author Comment

by:dallasgrp
ID: 22762460
what is the exact line of code for the DYNDNS entry. I tried crypto map VPN 1 set peer abc.dyndns.org and it didn't work :o(
0
 
LVL 1

Accepted Solution

by:
dallasgrp earned 0 total points
ID: 22840910
I ended up calling Cisco TAC. The DYNDNS record "was" supported on the PIX where they had a ton of trouble with it. In the ASA they have removed the ability to use DYNDNS records altogether. Per Cisco (I have no idea if thats true or not)

Anyways I am including the code and steps to set up a Dynamic and Static VPN tunnels to possibly help others:

***********************************
Steps to Create a Static VPN
***********************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) access-list VPN extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
9) crypto map VPN 1 set peer A.B.C.D  (Remote IP)(ISP Specified)
10) crypto map VPN 1 set transform-set ESP-3DES-SHA
11) crypto map VPN 1 match address VPN
12) crypto map VPN interface outside
13) crypto isakmp enable outside
14) crypto isakmp nat-transparency(Optional)
15) tunnel-group 24.52.75.1(Remote IP) type ipsec-l2l
16) tunnel-group 24.52.75.1(Remote IP) ipsec-attributes
17) pre-shared-key cisco123
18) access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
19) nat (inside) 0 access-list nonat

Reverse all statements on the other side as needed.



**************************************
Steps to Create a Dynamic VPN
**************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) tunnel-group DefaultL2LGroup ipsec-attributes
14) pre-shared-key cisco123
15) access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
16) nat (inside) 0 access-list nonat

This would be the configuration that you would put on the Static IP firewall. On the Dynamic IP firewall you would use the static config above. The idea here is that when the Dynamic IP firewall calls out to the Static via the IP you hard code in the dynamic IP firewalls config, The Dynamic IP side tells the Static IP side this is "my IP address" once the Static Side has this information it will use it to open up the tunnel. When an IP changes on the Dynamic side it will once again call out to the Static IP firewall and say this is "my new IP address"

***********************************************
VPN hardware to VPN software tunnel (Group name, Group password, PCF file, etc)
**********************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) group-policy REMOTE internal
14) group-policy REMOTE attributes
15) vpn-tunnel-protocol ipsec
16) split-tunnel-policy ****tunnelall(No Internet) or tunnelspecified(Internet)***
17) access-list split extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
18) split-tunnel-network value split
19) ip local pool VPN 192.168.100.1-192.168.100.254 mask 255.255.255.0
20) tunnel-group REMOTE type ipsec-ra
21) tunnel-group REMOTE general-attributes
22) default-group-policy REMOTE
23) address-pool VPN
24) authentication-server-group (LOCAL or RADIUS) (Optional)
25) username cisco password cisco
26) tunnel-group REMOTE ipsec-attributes
27) pre-shared-key cisco123

This is how you set up a VPN group that would be used with the Cisco VPN client
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now