?
Solved

Dynamic to Static Tunnel

Posted on 2008-10-15
3
Medium Priority
?
1,796 Views
Last Modified: 2012-08-13
I have a situation where my company has a site to site VPN with static addresses on both sides. The Vice President has just had an ASA device set up at his home and he has a Dynamic IP address through his ISP. I need to know how to set up the ASA device to automatically discover the new IP address and use it to keep the VPN tunnel open. I have heard that you can set an ASA to use a DYNDNS record instead of a Static IP. Can you please help me.
0
Comment
Question by:dallasgrp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Expert Comment

by:alikaz3
ID: 22725553
are you familiar with dyndns? dyndns.com for more information

here's a quick rundown:
install dyndns on a server computer at the VPs home, it will monitor the WAN IP address, and when it changes, will update your dyndns name by contacting the server. Then on your office vpns, enter the dyndns name instead of the ip (example.dyndns.com).
0
 
LVL 1

Author Comment

by:dallasgrp
ID: 22762460
what is the exact line of code for the DYNDNS entry. I tried crypto map VPN 1 set peer abc.dyndns.org and it didn't work :o(
0
 
LVL 1

Accepted Solution

by:
dallasgrp earned 0 total points
ID: 22840910
I ended up calling Cisco TAC. The DYNDNS record "was" supported on the PIX where they had a ton of trouble with it. In the ASA they have removed the ability to use DYNDNS records altogether. Per Cisco (I have no idea if thats true or not)

Anyways I am including the code and steps to set up a Dynamic and Static VPN tunnels to possibly help others:

***********************************
Steps to Create a Static VPN
***********************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) access-list VPN extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
9) crypto map VPN 1 set peer A.B.C.D  (Remote IP)(ISP Specified)
10) crypto map VPN 1 set transform-set ESP-3DES-SHA
11) crypto map VPN 1 match address VPN
12) crypto map VPN interface outside
13) crypto isakmp enable outside
14) crypto isakmp nat-transparency(Optional)
15) tunnel-group 24.52.75.1(Remote IP) type ipsec-l2l
16) tunnel-group 24.52.75.1(Remote IP) ipsec-attributes
17) pre-shared-key cisco123
18) access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
19) nat (inside) 0 access-list nonat

Reverse all statements on the other side as needed.



**************************************
Steps to Create a Dynamic VPN
**************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) tunnel-group DefaultL2LGroup ipsec-attributes
14) pre-shared-key cisco123
15) access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
16) nat (inside) 0 access-list nonat

This would be the configuration that you would put on the Static IP firewall. On the Dynamic IP firewall you would use the static config above. The idea here is that when the Dynamic IP firewall calls out to the Static via the IP you hard code in the dynamic IP firewalls config, The Dynamic IP side tells the Static IP side this is "my IP address" once the Static Side has this information it will use it to open up the tunnel. When an IP changes on the Dynamic side it will once again call out to the Static IP firewall and say this is "my new IP address"

***********************************************
VPN hardware to VPN software tunnel (Group name, Group password, PCF file, etc)
**********************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) group-policy REMOTE internal
14) group-policy REMOTE attributes
15) vpn-tunnel-protocol ipsec
16) split-tunnel-policy ****tunnelall(No Internet) or tunnelspecified(Internet)***
17) access-list split extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
18) split-tunnel-network value split
19) ip local pool VPN 192.168.100.1-192.168.100.254 mask 255.255.255.0
20) tunnel-group REMOTE type ipsec-ra
21) tunnel-group REMOTE general-attributes
22) default-group-policy REMOTE
23) address-pool VPN
24) authentication-server-group (LOCAL or RADIUS) (Optional)
25) username cisco password cisco
26) tunnel-group REMOTE ipsec-attributes
27) pre-shared-key cisco123

This is how you set up a VPN group that would be used with the Cisco VPN client
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question