Cisco ASA Site to Site VPN: Static & Dynamic IP-based Peers

To configure a Site to Site VPN between 2 Peers ; one with a Dynamic IP and the other with a static IP a dynamic crypto map is used.
However as the static based peer will be unaware of the remote peers IP the VPN can only be initated from the dynamic side.

Note : Unlike other vendors (such as the Juniper SRX), main mode is used for phase 1 negotiations between the dynamic/static based peers (this can be confirmed via the command ‘sh vpn-sessiondb detail l2l’).

Static IP Peer

On the Peer that has a static IP, the configuration is pretty standard. The only difference being is that a dynamic crypto map is configured.

A dynamic crypto map is a crypto map that does not have all of the parameters defined, these are then later learnt at the point that the IPsec tunnel is formed.

Note : The dynamic crypto map should have the highest sequence number within the crypto map to ensure that all other crypto map entries are triggered first.

crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key <PRE-SHARED KEY>

access-list ENCDOM-100 permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto dynamic-map ENCDOM-100-DYNMAP 10 set transform-set ESP-AES128-SHA
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 ipsec-isakmp dynamic ENCDOM-100-DYNMAP
crypto map outside interface outside

access-list ENCDOM-100-NONAT extended permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0
nat (inside) 0 access-list ENCDOM-100-NONAT

DHCP IP Peer

The configuration on the Peer hosting a DHCP based IP address will be the same as a “normal” site to site VPN i.e a static crypto map is used instead of dynamic.

crypto isakmp policy 15
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key <PRE-SHARED KEY>

access-list ENCDOM-100 permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer 2.2.2.2
crypto map outside 100 set transform-set ESP-AES128-SHA
crypto map outside interface outside

access-list ENCDOM-100-NONAT extended permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list ENCDOM-100-NONAT

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial