Solved

Dynamic to Static Tunnel

Posted on 2008-10-15
3
1,793 Views
Last Modified: 2012-08-13
I have a situation where my company has a site to site VPN with static addresses on both sides. The Vice President has just had an ASA device set up at his home and he has a Dynamic IP address through his ISP. I need to know how to set up the ASA device to automatically discover the new IP address and use it to keep the VPN tunnel open. I have heard that you can set an ASA to use a DYNDNS record instead of a Static IP. Can you please help me.
0
Comment
Question by:dallasgrp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Expert Comment

by:alikaz3
ID: 22725553
are you familiar with dyndns? dyndns.com for more information

here's a quick rundown:
install dyndns on a server computer at the VPs home, it will monitor the WAN IP address, and when it changes, will update your dyndns name by contacting the server. Then on your office vpns, enter the dyndns name instead of the ip (example.dyndns.com).
0
 
LVL 1

Author Comment

by:dallasgrp
ID: 22762460
what is the exact line of code for the DYNDNS entry. I tried crypto map VPN 1 set peer abc.dyndns.org and it didn't work :o(
0
 
LVL 1

Accepted Solution

by:
dallasgrp earned 0 total points
ID: 22840910
I ended up calling Cisco TAC. The DYNDNS record "was" supported on the PIX where they had a ton of trouble with it. In the ASA they have removed the ability to use DYNDNS records altogether. Per Cisco (I have no idea if thats true or not)

Anyways I am including the code and steps to set up a Dynamic and Static VPN tunnels to possibly help others:

***********************************
Steps to Create a Static VPN
***********************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) access-list VPN extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
9) crypto map VPN 1 set peer A.B.C.D  (Remote IP)(ISP Specified)
10) crypto map VPN 1 set transform-set ESP-3DES-SHA
11) crypto map VPN 1 match address VPN
12) crypto map VPN interface outside
13) crypto isakmp enable outside
14) crypto isakmp nat-transparency(Optional)
15) tunnel-group 24.52.75.1(Remote IP) type ipsec-l2l
16) tunnel-group 24.52.75.1(Remote IP) ipsec-attributes
17) pre-shared-key cisco123
18) access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
19) nat (inside) 0 access-list nonat

Reverse all statements on the other side as needed.



**************************************
Steps to Create a Dynamic VPN
**************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) tunnel-group DefaultL2LGroup ipsec-attributes
14) pre-shared-key cisco123
15) access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
16) nat (inside) 0 access-list nonat

This would be the configuration that you would put on the Static IP firewall. On the Dynamic IP firewall you would use the static config above. The idea here is that when the Dynamic IP firewall calls out to the Static via the IP you hard code in the dynamic IP firewalls config, The Dynamic IP side tells the Static IP side this is "my IP address" once the Static Side has this information it will use it to open up the tunnel. When an IP changes on the Dynamic side it will once again call out to the Static IP firewall and say this is "my new IP address"

***********************************************
VPN hardware to VPN software tunnel (Group name, Group password, PCF file, etc)
**********************************************
1) crypto isakmp policy 1   (Internet Security Association Key Managment Protocol)
2) group 2
3) authentication pre-share
4) lifetime 86400
5) encryption 3des
6) hash sha
7) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
8) crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
9) crypto map VPN 65535 ipsec-isakmp dynamic VPN
10) crypto map VPN interface outside
11) crypto isakmp enable outside
12) crypto isakmp nat-transparency(Optional)
13) group-policy REMOTE internal
14) group-policy REMOTE attributes
15) vpn-tunnel-protocol ipsec
16) split-tunnel-policy ****tunnelall(No Internet) or tunnelspecified(Internet)***
17) access-list split extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
18) split-tunnel-network value split
19) ip local pool VPN 192.168.100.1-192.168.100.254 mask 255.255.255.0
20) tunnel-group REMOTE type ipsec-ra
21) tunnel-group REMOTE general-attributes
22) default-group-policy REMOTE
23) address-pool VPN
24) authentication-server-group (LOCAL or RADIUS) (Optional)
25) username cisco password cisco
26) tunnel-group REMOTE ipsec-attributes
27) pre-shared-key cisco123

This is how you set up a VPN group that would be used with the Cisco VPN client
0

Featured Post

Are Your IoT Devices Out to Get You?

IoT business is booming, with manufacturers connecting any and every “thing” to the Internet. But as pressure grows to release new products faster and faster, we’re all left to wonder: is security a priority? Join our webinar on June 29th for the answer.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question