• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3958
  • Last Modified:

Site to Site VPN Cisco ASA 8.3 dynamic to static

Can someone please assist me in my ASA configurations for a VPN connection between a central office and a remote office.  The central office has a static IP and is using an ASA 5510 and the remote site is using a 5505 with a dynamically assigned IP.  Attached is the configs for both.

Any help is greatly appreciated!

ASA 5510 (Central Office)
ASA Version 8.3(2) 
!
hostname MGMTCOasa
domain-name mgmtco.local
enable password <removed>
passwd <removed>
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 38.a.a.a 255.255.255.224 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.1.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.17.1.11
 domain-name mgmtco.local
object network internal_lan 
 subnet 172.17.1.0 255.255.255.0
object network obj-local 
 subnet 172.17.1.0 255.255.255.0
object network obj-remote 
 subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list LAN1-to-LAN2 extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 
access-list NONAT extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
!
object network internal_lan
 nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 38.c.c.c 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 65535 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
 
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****


REMOTE SITE (5505):
ASA Version 8.3(2) 
!
terminal width 132
hostname Mag-ASA
domain-name mag.local

names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
 
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.16.1.11
 domain-name mag.local
object network internal_lan 
 subnet 172.16.1.0 255.255.255.0
object network obj-local 
 subnet 172.16.1.0 255.255.255.0
object network obj-remote 
 subnet 172.17.1.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list LAN2-to-LAN1 extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
object network internal_lan
 nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ASA2VPN 10 match address LAN2-to-LAN1
crypto map ASA2VPN 10 set peer 38.a.a.a 
crypto map ASA2VPN 10 set transform-set myset
crypto map ASA2VPN 10 set security-association lifetime seconds 86400
crypto map ASA2VPN interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 38.a.a.a type ipsec-l2l
tunnel-group 38.a.a.a ipsec-attributes
 pre-shared-key *****
!

Open in new window

0
Undisputed
Asked:
Undisputed
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
lrmooreCommented:
Use EZVPN. Setup the 5510 as Server and the 5505 as client
EZVPN server (only difference is the NAT 0 statement)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

Client config:
You will have to remove this statement
  >nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/remcli.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ezvpn505.html#wp1019263
0
 
Pete LongTechnical ConsultantCommented:
Vote #2 Easy VPN is simple to setup  http://www.petenetlive.com/KB/Article/0000337.htm
0
 
lrmooreCommented:
Nice one, Pete!
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Pete LongTechnical ConsultantCommented:
:) Cheers m8y
0
 
UndisputedAuthor Commented:
I'm aware that easyvpn is a solution but isn't there a solution using the way I started above.

Are there pros and cons to using one method over the other?
0
 
lrmooreCommented:
You need a specified peer. We *used* to be able to specify 0.0.0.0 as the peer in the old PIX days, but not so with the ASA.

You can try this configuration, but ASA 8.3 changed a lot of things and you might not get the same results. Obviously the NAT configuration is totally different.
http://ashcisasa.blogspot.com/
0
 
UndisputedAuthor Commented:
Will give it a try. Thank u
0
 
digitapCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now