• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1225
  • Last Modified:

How to configure Cisco ASA5505 to accept multiple L2L VPN connections from dynamic IP addresses

I have migrated from a PIX 506E to an ASA5505 on one of our customers sites.   The PIX 506e had a static IP and was setup so that it would receive inbound L2L VPNs from multiple routers on home sites some with static IP addresses but mostly routers with dynamic IP addresses.  It was also setup for L2L VPN connections to various other offices with static IP Cisco PIX’s.

I used the tool to convert the PIX config to the ASA config and everything works except for the inbound L2L VPNs from the home routers with dynamic IP addresses.

Can someone point me in the right direction to make this work again?  On the old PIX I wasn’t using Easy VPN but made it work using a config that accepted connections from and subnet of (or any) with a pre-shared key.

Some entries from old config below...

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
isakmp key ******** address netmask no-xauth no-config-mode
access-list outside_cryptomap_dyn_40 permit ip

I would prefer not to be directed to a Cisco website as I am not good at understanding the examples there.

Can someone simply give me a set of commands to execute to make this work please as I am being hassled by many home users even though they have the Cisco VPN client working to use for connectivity?
  • 2
1 Solution
Pete LongConsultantCommented:
You need to look at EasyVPN - there is info on my website but the chuffing thing is down at the moment ;(

here's the link when it comes back up

PeteNetLive - KB0000337 - Configure Cisco EasyVPN With Cisco ASA 5500

in the mean time I've still got the vids on youtube
jongrewAuthor Commented:
PeteLong: Thanks for the reply.  This solution seems to rely on my home users having Cisco ASA/PIX devices which they do not have.  They mostly use Draytek Vigor Business ADSL routers which are capable of making a L2L IPSec tunnel to a head office device (worked ok with the PIX without EasyVPN Server)  There is no Easy VPN Client solution on home routers.

Are you familiar with Draytek Vigor routers?

You can do this, it is a bit tricky, you need to configure the crypto maps as dynamic crypto maps.  Here is an example link for the config on a pix from a router with a dynamic ip.

also a forum post regarding the set up on the ASA


Also on last important thing to note that the dynamic IP address device is the only one that can innate traffic, seems obvious but some people miss this
jongrewAuthor Commented:
Cheever000:  Thanks for your help.  I had seen this article before and skipped through it but I read it more carefully this time after you sent the link to it.

I had most of the configuration already in there from the migration from the PIX.  Where I had gone wrong was to put a pre-shared key in the DefaultRAGroup as some point probably in an desperate attempt to make it work one way or another.  I removed this pre-shared key and checked I had the pre-shared key in the DefaultL2LGroup and applied the changes and right away my dynamic routers started connecting.

I’m guessing that the pre-shared key in DefaultRAGroup stopped the connection attempt from dropping down to the DefaultL2LGroup to attempt connection on that group.  Not quite sure how that part works really but it does now.

I am awarding the points to you as you put me on the right track to resolve the issue

PeteLong: Thanks to you for also trying to assist me

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now