Site to Site VPN Cisco ASA 8.3 dynamic to static

Can someone please assist me in my ASA configurations for a VPN connection between a central office and a remote office.  The central office has a static IP and is using an ASA 5510 and the remote site is using a 5505 with a dynamically assigned IP.  Attached is the configs for both.

Any help is greatly appreciated!

ASA 5510 (Central Office)
ASA Version 8.3(2) 
!
hostname MGMTCOasa
domain-name mgmtco.local
enable password <removed>
passwd <removed>
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 38.a.a.a 255.255.255.224 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.1.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.17.1.11
 domain-name mgmtco.local
object network internal_lan 
 subnet 172.17.1.0 255.255.255.0
object network obj-local 
 subnet 172.17.1.0 255.255.255.0
object network obj-remote 
 subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list LAN1-to-LAN2 extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 
access-list NONAT extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
!
object network internal_lan
 nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 38.c.c.c 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 65535 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
 
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****


REMOTE SITE (5505):
ASA Version 8.3(2) 
!
terminal width 132
hostname Mag-ASA
domain-name mag.local

names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
 
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.16.1.11
 domain-name mag.local
object network internal_lan 
 subnet 172.16.1.0 255.255.255.0
object network obj-local 
 subnet 172.16.1.0 255.255.255.0
object network obj-remote 
 subnet 172.17.1.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list LAN2-to-LAN1 extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
object network internal_lan
 nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ASA2VPN 10 match address LAN2-to-LAN1
crypto map ASA2VPN 10 set peer 38.a.a.a 
crypto map ASA2VPN 10 set transform-set myset
crypto map ASA2VPN 10 set security-association lifetime seconds 86400
crypto map ASA2VPN interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 38.a.a.a type ipsec-l2l
tunnel-group 38.a.a.a ipsec-attributes
 pre-shared-key *****
!

Open in new window

LVL 3
UndisputedAsked:
Who is Participating?
 
lrmooreCommented:
Use EZVPN. Setup the 5510 as Server and the 5505 as client
EZVPN server (only difference is the NAT 0 statement)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

Client config:
You will have to remove this statement
  >nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/remcli.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ezvpn505.html#wp1019263
0
 
Pete LongTechnical ConsultantCommented:
Vote #2 Easy VPN is simple to setup  http://www.petenetlive.com/KB/Article/0000337.htm
0
 
lrmooreCommented:
Nice one, Pete!
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Pete LongTechnical ConsultantCommented:
:) Cheers m8y
0
 
UndisputedAuthor Commented:
I'm aware that easyvpn is a solution but isn't there a solution using the way I started above.

Are there pros and cons to using one method over the other?
0
 
lrmooreCommented:
You need a specified peer. We *used* to be able to specify 0.0.0.0 as the peer in the old PIX days, but not so with the ASA.

You can try this configuration, but ASA 8.3 changed a lot of things and you might not get the same results. Obviously the NAT configuration is totally different.
http://ashcisasa.blogspot.com/
0
 
UndisputedAuthor Commented:
Will give it a try. Thank u
0
 
digitapCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.