{"id":743,"date":"2013-06-01T00:00:00","date_gmt":"2013-06-01T00:00:00","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2013\/06\/01\/how-to-configure-a-cisco-asa-site-to-site-vpn-between-a-static-and-dynamic-ip-based-peers\/"},"modified":"2023-02-24T08:56:22","modified_gmt":"2023-02-24T08:56:22","slug":"how-to-configure-a-cisco-asa-site-to-site-vpn-between-a-static-and-dynamic-ip-based-peers","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/how-to-configure-a-cisco-asa-site-to-site-vpn-between-a-static-and-dynamic-ip-based-peers.html","title":{"rendered":"Cisco ASA Site to Site VPN: Static & Dynamic IP-based Peers"},"content":{"rendered":"
To configure a Site to Site VPN between 2 Peers ; one with a Dynamic IP and the other with a static IP a dynamic crypto map is used. Note<\/em> : Unlike other vendors (such as the Juniper SRX<\/a>), main mode is used for phase 1 negotiations between the dynamic\/static based peers (this can be confirmed via the command ‘sh vpn-sessiondb detail l2l’).<\/p>\n On the Peer that has a static IP, the configuration is pretty standard. The only difference being is that a dynamic crypto map is configured.<\/p>\n A dynamic crypto map is a crypto map that does not have all of the parameters defined, these are then later learnt at the point that the IPsec tunnel is formed.<\/p>\n Note<\/em> : The dynamic crypto map should have the highest sequence number within the crypto map to ensure that all other crypto map entries are triggered first.<\/p>\n crypto isakmp policy 5 tunnel-group DefaultL2LGroup ipsec-attributes access-list ENCDOM-100 permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0<\/p>\n crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac access-list ENCDOM-100-NONAT extended permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0 The configuration on the Peer hosting a DHCP based IP address will be the same as a “normal” site to site VPN i.e a static crypto map is used instead of dynamic.<\/p>\n crypto isakmp policy 15 tunnel-group 2.2.2.2 type ipsec-l2l access-list ENCDOM-100 permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0<\/p>\n crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac access-list ENCDOM-100-NONAT extended permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0 <\/p>\n","protected":false},"excerpt":{"rendered":" To configure a Site to Site VPN between 2 Peers ; one with a Dynamic IP and the other with a static IP a dynamic crypto map is used. However as the static based peer will be unaware of the remote peers IP the VPN can only be initated from the dynamic side. Note : … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"yoast_head":"\n
\nHowever as the static based peer will be unaware of the remote peers IP the VPN can only be initated from the dynamic side.
\n<\/strong><\/p>\nStatic IP Peer<\/strong><\/h3>\n
\nauthentication pre-share
\nencryption aes
\nhash sha
\ngroup 2
\nlifetime 86400
\ncrypto isakmp enable outside<\/p>\n
\npre-shared-key <PRE-SHARED KEY><\/p>\n
\ncrypto dynamic-map ENCDOM-100-DYNMAP 10 set transform-set ESP-AES128-SHA
\ncrypto map outside 100 match address ENCDOM-100
\ncrypto map outside 100 ipsec-isakmp dynamic ENCDOM-100-DYNMAP
\ncrypto map outside interface outside<\/p>\n
\nnat (inside) 0 access-list ENCDOM-100-NONAT<\/p>\nDHCP IP Peer<\/strong><\/h3>\n
\nauthentication pre-share
\nencryption aes
\nhash sha
\ngroup 2
\nlifetime 86400
\ncrypto isakmp enable outside<\/p>\n
\ntunnel-group 2.2.2.2 ipsec-attributes
\npre-shared-key <PRE-SHARED KEY><\/p>\n
\ncrypto map outside 100 match address ENCDOM-100
\ncrypto map outside 100 set peer 2.2.2.2
\ncrypto map outside 100 set transform-set ESP-AES128-SHA
\ncrypto map outside interface outside<\/p>\n
\nnat (inside) 0 access-list ENCDOM-100-NONAT<\/p>\n