How to configure Cisco ASA5505 to accept multiple L2L VPN connections from dynamic IP addresses

Posted on 2011-05-08
Last Modified: 2012-08-14
I have migrated from a PIX 506E to an ASA5505 on one of our customers sites.   The PIX 506e had a static IP and was setup so that it would receive inbound L2L VPNs from multiple routers on home sites some with static IP addresses but mostly routers with dynamic IP addresses.  It was also setup for L2L VPN connections to various other offices with static IP Cisco PIX’s.

I used the tool to convert the PIX config to the ASA config and everything works except for the inbound L2L VPNs from the home routers with dynamic IP addresses.

Can someone point me in the right direction to make this work again?  On the old PIX I wasn’t using Easy VPN but made it work using a config that accepted connections from and subnet of (or any) with a pre-shared key.

Some entries from old config below...

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
isakmp key ******** address netmask no-xauth no-config-mode
access-list outside_cryptomap_dyn_40 permit ip

I would prefer not to be directed to a Cisco website as I am not good at understanding the examples there.

Can someone simply give me a set of commands to execute to make this work please as I am being hassled by many home users even though they have the Cisco VPN client working to use for connectivity?
Question by:jongrew
    LVL 57

    Expert Comment

    by:Pete Long
    You need to look at EasyVPN - there is info on my website but the chuffing thing is down at the moment ;(

    here's the link when it comes back up

    PeteNetLive - KB0000337 - Configure Cisco EasyVPN With Cisco ASA 5500

    in the mean time I've still got the vids on youtube

    Author Comment

    PeteLong: Thanks for the reply.  This solution seems to rely on my home users having Cisco ASA/PIX devices which they do not have.  They mostly use Draytek Vigor Business ADSL routers which are capable of making a L2L IPSec tunnel to a head office device (worked ok with the PIX without EasyVPN Server)  There is no Easy VPN Client solution on home routers.

    Are you familiar with Draytek Vigor routers?

    LVL 9

    Accepted Solution

    You can do this, it is a bit tricky, you need to configure the crypto maps as dynamic crypto maps.  Here is an example link for the config on a pix from a router with a dynamic ip.

    also a forum post regarding the set up on the ASA

    Also on last important thing to note that the dynamic IP address device is the only one that can innate traffic, seems obvious but some people miss this

    Author Comment

    Cheever000:  Thanks for your help.  I had seen this article before and skipped through it but I read it more carefully this time after you sent the link to it.

    I had most of the configuration already in there from the migration from the PIX.  Where I had gone wrong was to put a pre-shared key in the DefaultRAGroup as some point probably in an desperate attempt to make it work one way or another.  I removed this pre-shared key and checked I had the pre-shared key in the DefaultL2LGroup and applied the changes and right away my dynamic routers started connecting.

    I’m guessing that the pre-shared key in DefaultRAGroup stopped the connection attempt from dropping down to the DefaultL2LGroup to attempt connection on that group.  Not quite sure how that part works really but it does now.

    I am awarding the points to you as you put me on the right track to resolve the issue

    PeteLong: Thanks to you for also trying to assist me

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now