fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Firewalls
  • Cisco
  • How to configure a Cisco ASA Site to Site VPN between Static and Dynamic IP based Peers ?

How to configure a Cisco ASA Site to Site VPN between Static and Dynamic IP based Peers ?

To configure a Site to Site VPN between 2 Peers ; one with a Dynamic IP and the other with a static IP a dynamic crypto map is used.
However as the static based peer will be unaware of the remote peers IP the VPN can only be initated from the dynamic side.

Note : Unlike other vendors (such as the Juniper SRX), main mode is used for phase 1 negotiations between the dynamic/static based peers (this can be confirmed via the command 'sh vpn-sessiondb detail l2l').

Static IP Peer

On the Peer that has a static IP, the configuration is pretty standard. The only difference being is that a dynamic crypto map is configured.

A dynamic crypto map is a crypto map that does not have all of the parameters defined, these are then later learnt at the point that the IPsec tunnel is formed.

Note : The dynamic crypto map should have the highest sequence number within the crypto map to ensure that all other crypto map entries are triggered first.

crypto isakmp policy 5
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
crypto isakmp enable outside

tunnel-group DefaultL2LGroup ipsec-attributes
  pre-shared-key <PRE-SHARED KEY>

access-list ENCDOM-100 permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto dynamic-map ENCDOM-100-DYNMAP 10 set transform-set ESP-AES128-SHA
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 ipsec-isakmp dynamic ENCDOM-100-DYNMAP
crypto map outside interface outside

access-list ENCDOM-100-NONAT extended permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0
nat (inside) 0 access-list ENCDOM-100-NONAT

DHCP IP Peer

The configuration on the Peer hosting a DHCP based IP address will be the same as a "normal" site to site VPN i.e a static crypto map is used instead of dynamic.

crypto isakmp policy 15
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
crypto isakmp enable outside

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
  pre-shared-key <PRE-SHARED KEY>

access-list ENCDOM-100 permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer 2.2.2.2
crypto map outside 100 set transform-set ESP-AES128-SHA
crypto map outside interface outside

access-list ENCDOM-100-NONAT extended permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list ENCDOM-100-NONAT

 

Tags: ASA, VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001