ASA - s2s vpn with dynamic ip - Dungeon tunnel upward

Hi guys,.

We want to set up a vpn between our central asa5520, and a new branch office asa5505 with dynamic public ip address.

This type of configuration is supported, but the tunnel can only be initiated from the asa distance (the asa central do not know how to reach the asa remote).

prove that on this vpn also transit traffic voice, we must always maintain the tunnel.

A solution would be to have a kind of continuous ping from the remote office to the central office... is more 'professional' wat to reach our goal?

Thank you.

Try, 'management-access to the inside' of the asa and ping

Tags: Cisco Security

Similar Questions

  • ASA ASA Site2Site VPN with dynamic NAT in version 8.2

    I did everything for NAT to 9.x and I don't have much at all with NAT in 8.2 and earlier with this configuration.

    I have some local subnets:

    172.30.1.0/24
    172.30.16.0/24
    172.30.3.0/24
    172.30.12.0/24
    172.30.7.0/24
    172.30.35.0/24

    who will need to access a remote subnet:

    10.31.255.128/25

    and the requirement is to NAT the following text:

    A lot of requirement much NAT.
    172.30.1.0/24 NAT at 192.168.104.0/24
    172.30.16.0/24 NAT at 192.168.105.0/24
    172.30.3.0/24 NAT at 192.168.108.0/24
    172.30.12.0/24 NAT at 192.168.106.0/24
    172.30.7.0/24 NAT at 192.168.107.0/24
    172.30.35.0/24 NAT at 192.168.103.0/24

    When you go to the 10.31.255.128/25 subnet.

    Here's what I think, I need and I'm looking for confirmation and/or messages.

    Config group *.

    object-group, LAN using a NAT-NETWORKS
    192.168.104.0 subnet 255.255.255.0
    192.168.105.0 subnet 255.255.255.0
    192.168.108.0 subnet 255.255.255.0
    192.168.106.0 subnet 255.255.255.0
    192.168.107.0 subnet 255.255.255.0
    192.168.103.0 subnet 255.255.255.0

    Group of objects to REMOTE-network
    subnet 10.31.255.128 255.255.255.128

    ACL for the crypto-card *.

    REMOTE_cryptomap_72 list extended access permitted ip object-group LOCAL-using a NAT-NETWORKS-group of objects to REMOTE-NETWORK

    Config NAT

    NAT (inside) 10 172.30.1.0 255.255.255.0
    NAT (inside) 20 172.30.16.0 255.255.255.0
    NAT (inside) 30 172.30.3.0 255.255.255.0
    NAT (inside) 40 172.30.12.0 255.255.255.0
    NAT (inside) 50 172.30.7.0 255.255.255.0
    NAT (inside) 60 172.30.35.0 255.255.255.0

    Global (outside) 10 192.168.104.0 255.255.255.0
    Global (outside) 20 192.168.105.0 255.255.255.0
    Global (outside) 30 192.168.108.0 255.255.255.0
    Global (outside) 40 192.168.106.0 255.255.255.0
    Global (outside) 50 192.168.107.0 255.255.255.0
    Global (outside) 60 192.168.103.0 255.255.255.0

    This sets up the set of transformation which is called in the Crypto map.* *.

    Crypto ipsec transform-set ikev1 REMOTE-SET esp-3des esp-sha-hmac

    This sets up the Crypto map.* *.

    address for correspondence card crypto outside_map 72 REMOTE_cryptomap_72
    peer set card crypto outside_map 72 5.5.5.4
    card crypto outside_map 72 set transform-set REMOTE-SET ikev1
    outside_map card crypto 72 the value reverse-road

    Implements IKE *.

    IKEv1 crypto policy 72
    sha hash
    preshared authentication
    Group 2
    lifetime 28800
    3des encryption

    Sets up the Group of tunnel (connection profile) *.

    tunnel-group 5.5.5.4 type ipsec-l2l
    IPSec-attributes tunnel-group 5.5.5.4
    IKEv1 pre-shared-key * TBD *.

    Thank you

    Mike

    With your existing global declarations, my suggestion should meet the requirement. Here is some additional info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...

  • VPN with ASA 5500 VPN with PIX 515E vs

    I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.

    Craig

    According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.

    On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.

    HTH

    Rick

  • ASA IPSEC VPN with public IP dynamic

    Hey,.

    I have never deployed IPSEC VPN tunnel using ASA on two sides of a side using public IP dynamic production. I normally deploy VPN Tunnels with both sides using public static IP addresses (not always a public IP address on ASA directly however).

    So I wonder how stable it works with a static public IP and the other side uses dynamic public IP?

    Thank you

    Shuai

    If you use certificates and psk or main mode and aggressive it will work very well. I have a number of production sites using this method.

    Sent by Cisco Support technique iPad App

  • S2S VPN with multiple context

    Hello

    I intend to combine two ASA 5510 (used for the separate VPN S2S requirements) in a single Cisco ASA 5512 - X using contexts. I would like to know if someone has deployed VPN S2S in multi mode context, known problems and how the distribution of resources is made (for example)?

    Thanks in advance

    Krishna

    Hello Krishna,

    Implementation of VPN in multiple mode requires the division of total available VPN licenses between the configured settings. ASA administrator can configure how many licenses each context is allocated.

    By default, no license of VPN tunnel is attributed to the contexts and the award of the license type must be done manually by the administrator.

    Here is a document for your reference:-
    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/116639-TechNote-ASA-00.html

    Concerning
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Cisco ASA 5510 VPN with PIX 515

    Hello

    I have VPN between Cisco ASA and Cisco PIX.

    I saw in my syslog server this error that appears once a day, more or less:

    Received a package encrypted with any HIS correspondent, drop

    I ve seen issue in another post, but in none of then the solution.

    Here are my files from the firewall configuration:

    Output from the command: 'show running-config '.

    : Saved
    :
    ASA Version 8.2 (1)
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto WAN_map2 2 corresponds to the address WAN_cryptomap_1
    card crypto WAN_map2 2 set pfs
    card crypto WAN_map2 2 peer 62.80.XX game. XX
    map WAN_map2 2 game of transformation-ESP-DES-MD5 crypto
    card crypto WAN_map2 2 defined security-association 2700 seconds life
    card crypto WAN_map2 2 set nat-t-disable
    card crypto WAN_map2 WAN interface
    enable LAN crypto ISAKMP
    ISAKMP crypto enable WAN
    crypto ISAKMP policy 1
    preshared authentication
    the Encryption
    md5 hash
    Group 5
    lifetime 28800
    No encryption isakmp nat-traversal
    tunnel-group 62.80.XX. XX type ipsec-l2l
    tunnel-group 62.80.XX. IPSec-attributes of XX
    pre-shared-key *.

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    8.0 (4) version PIX
    !
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card encryption VPN_map2 3 corresponds to the address VPN_cryptomap_2
    card encryption VPN_map2 3 set pfs
    card crypto VPN_map2 3 peer 194.30.XX game. XX
    VPN_map2 3 transform-set ESP-DES-MD5 crypto card game
    card encryption VPN_map2 3 defined security-association life seconds 2700
    card encryption VPN_map2 3 set security-association kilobytes of life 4608000
    card VPN_map2 3 set nat-t-disable encryption
    VPN crypto map VPN_map2 interface
    crypto ISAKMP enable VPN
    crypto ISAKMP allow inside
    crypto ISAKMP policy 30
    preshared authentication
    the Encryption
    md5 hash
    Group 5
    lifetime 28800
    No encryption isakmp nat-traversal
    ISAKMP crypto am - disable
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec
    tunnel-group 194.30.XX. XX type ipsec-l2l
    tunnel-group 194.30.XX. IPSec-attributes of XX
    pre-shared-key *.

    If you need more information dedailed ask me questions.

    Thanks in advance for your help.

    Javi

    Hi Javi,

    Please after the release of "see broadcasting DfltGrpPolicy of any political group." See if you have the "vpn-idle-timoeout" command configured in that. If so, please change to "vpn-idle-timeout no" and see if that stops at these popping up error messages.

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/uz.html#wp1571426

    Thank you and best regards,

    Assia

  • ASA SSL VPN with RSA authentication

    All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?

    Thank you

    Try this link

    http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html

  • VPN with dynamic IP. How to use DNS?

    Hello

    I installed a site to site VPN IPSec between two routers cisco IPs public Static. I notice that I can use dynamic IPs for the case with point-to-multipoint or IPs instead host names. In this case, I can use this command to configure the VPN:

    (config) #crypto isakmp identity hostname

    (config) #crypto isakmp key XXXXX hostname 'Remote_name '.

    (config-crypto-map) # defined peer 'Remote_name '.

    I also noticed that I can use a router cisco as a DNS, and I can add the host records with:

    IP host 'Remote_Name' "IP address"

    In fact, I want only one router to work with Static public IP (Router_A) and the other with the dynamic public IP (Router_B) of ISP address. Then maybe I can put the router with static IP address to work as the DNS server. I know how DynDNS works with an account and update client software on a PC/server, but I've never used the hardware update DNS clients, and I don't know what steps I must follow to implement this.

    Hi John,.

    The section in the link below should help you to configure DDNS on your router:

    (See example Http update)

    http://www.Cisco.com/en/us/docs/iOS/12_3/12_3y/12_3ya8/gt_ddns.html#wp1203580

    This link shows a \windows\system32\conifg\system summary:

    http://www.no-IP.com/support/guides/routers/using_cisco_routers_with_no-IP.html

    Static dynamic VPN to refer to this link (this requires no DDNS):

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080093f86.shtml

    HTH

    Kind regards

    Praveen

  • ASA remote VPN with DHCP failed

    I am running a version 8.3 ASA5540 (2). I have several deletion of vpn users working on this server. Lately, I have had problems with people starting or being not not able to route any where and it seems to be cause that they fight for the same IP address using the local pool, so I decided to try to DHCP rather (I have no idea why he keeps overlapping IPs, we have tons in the pool and they fight for the same). This just started about a month ago, we use only maybe 3-5 fps on / 24 block. The only thing that changed was we hired more people, but we have separate groups for team operations corporate vs.

    So I configure the scope dhcp-network for the subnet and the server dhcp under the policies. I see demand go on the server, but it seems to put the MAC ASA in the field of the hardware address of the Client in the DHCP header. I have attached the IBDP of ASA showing this. Anyone know why this is happening and is there a way around it?

    Hello Keith,

    118 great option to have this info.

    Please keep an eye on it and if you still see it works please mark it as answered so future users can refer to this discussion for a solution

    Concerning

  • SSL VPN with dynamic IP

    Hello

    I want to configure a VPN SSL on an international search report which is to obtain a dynamic IP address from the ISP. I know that the static configuration using IP. How to configure this to a dynamic IP address?

    Kind regards
    Tony

    Hello Tony,.

    Just because u asked him

    Use the following syntax:

    WebVPN gateway x.x.x

    port IP interface giga 0 443

    In this case u get public ip address on giga 0,

    Be sure to note all the useful messages.

    For this community, which is as important as a thank you.

  • IPSEC VPN with Dynamics to dynamic IP

    Hello

    I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.

    Is someone can you please tell me if it is possible to do?

    If so, please share with me the secret to do work.

    Thank you!

    Best regards

    Rather than the Crypto map, I would use the profile of Crypto.  Then, establish you an IPSEC tunnel.  The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network.  The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute.  In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.

    So, if you type:

    config t

    interface tunnel100
    destination remote.dyndns.com tunnel

    output

    See the race int tunnel100

    It shows:

    interface Tunnel100
    tunnel destination 75.67.43.79

    That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.

    I have seen that two of your routers running DDNS.  They will have to do this.

    Local router:

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
    !
    !
    Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
    !
    Profile of crypto ipsec CRYPTOPROFILE
    game of transformation-ESP-AES-SHA
    !
    interface Tunnel100
    Description of remote.dyndns.org
    IP 10.254.220.10 255.255.255.252
    IP virtual-reassembly
    IP tcp adjust-mss 1400
    source of Dialer0 tunnel
    tunnel destination 75.67.43.79
    ipv4 ipsec tunnel mode
    Tunnel CRYPTOPROFILE ipsec protection profile

    IP route 192.168.2.0 255.255.255.0 10.254.220.9

    Change-tunnel-dest applet event handler
    cron-event entry timer cron name "CHRON" * * *"
    command action 1.0 cli 'enable '.
    action 1.1 cli command "configures terminal.
    Action 1.2 command cli "interface tunnel100".
    Action 1.3 cli command "destination remote.dyndns.org tunnel".
    !

    --------

    Remote router:

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
    !
    !
    Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
    !
    Profile of crypto ipsec CRYPTOPROFILE
    game of transformation-ESP-AES-SHA
    !
    interface Tunnel100
    Description of local.dyndns.org
    IP 10.254.220.9 255.255.255.252
    IP virtual-reassembly
    IP tcp adjust-mss 1400
    source of Dialer0 tunnel
    tunnel destination 93.219.58.191
    ipv4 ipsec tunnel mode
    Tunnel CRYPTOPROFILE ipsec protection profile

    IP route 192.168.1.0 255.255.255.0 10.254.220.10

    Change-tunnel-dest applet event handler
    cron-event entry timer cron name "CHRON" * * *"
    command action 1.0 cli 'enable '.
    action 1.1 cli command "configures terminal.
    Action 1.2 command cli "interface tunnel100".
    Action 1.3 cli command "destination local.dyndns.org tunnel".

    Thank you

    Bert

  • VPN IPSEC ASA with counterpart with dynamic IP and certificates

    Hello!

    Someone please give me config the work of the ASA for ASA Site to Site IPSEC VPN with counterpart with dynamic IP and authentication certificates.

    He works with PSK authentication. But the connection landed at DefaultRAGroup instead of DefaultL2LGroup with certificate

    authentication.

    Should what special config I ask a DefaultRAGroup to activate the connection?

    Thank you!

    The ASA uses parts of the client cert DN to perform a tunnel-group  lookup to place the user in a group.  When "peer-id-validate req" is  defined the ASA also tries to compare the IKE ID (cert DN) with the  actual cert DN (also received in IKE negotiation), if the comparison  fails the connection fails. know you could set "peer-id-validate cert"  for the time being and the ASA will try to compare the values but allow  the connection if it cannot.

    In general I would suggest using option "cert."

    With nocheck, we are simply not strict on IKE ID matchin the certificate, which is normally not a problem of security :-)

  • VPN ASA ASA with dynamic IP of the branch

    Hello

    I would like to connect a private network Virtual Office HQ to a branch using two ASAs.

    I have a 5520 in the HQ and 5505 in the branch.

    My problem is in the office where I have a dynamic IP (ADSL).

    I couldn't find an example of this type of configuration.

    Can you help me?

    Kind regards

    Sergio Santos

    Hi Sergio,

    Well, you have two options:

    • Dynamic to static L2L tunnel:

    On the 5520, you must configure a dynamic encryption card because you don't know the IP address the 5505 will have and even if you IP address may vary. So:

    Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

    Crypto-map dynamic dynmap 1 transform-set RIGHT
    Crypto-map dynamic dynmap 1 the value reverse-road
    map mymap 10-isakmp IPSec crypto dynamic mymap
    mymap outside crypto map interface

    If you already have other tunnels already configured them just change the name of the crypto map that I used above with one you already have, in the example I used a sequence of 10 number because I have more tunnels in place but you need without ensuring that the card encryption where you attach the dynamic crypto map has the highest value! ID recommend using a value of 65535, which is the highest, you can use, this will allow you to configure static tunnels in the future without having need to reconfigure one you linked to the dynamics.

    Besides that you must configure the tunnel-group... but as you know for tunnels L2L with PSK in MainMode tunnel-group name MUST be the IP address peer, and in this case, we do not know, do not worry, we can configure the PSK under the DefaultL2LGroup

    IPSec-attributes tunnel-group DefaultL2LGroup
    pre-shared-key *.

    That's all you need on the 5520, in addition to the basic configuration PH1 for the construction of a tunnel.

    On 5505 all you need to do is to set up a regular tunnel because from the point of view 5505, we know the IP address of the 5520 and it will not change:

    map MYMAP 1 IPSec-isakmp crypto
    defined peer X.X.X.X
    Set transform-set RIGHT
    match address MYCRYPTOACL

    Group of tunnel X.X.X.X IPSec-attributes
    pre-shared-key *.

    • The other option will be to configure EzVPN you use a 5505

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

    http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/ezvpn505.html

    HTH!

  • Easy VPN with the Tunnel Interface virtual IPSec dynamic

    Hi all

    I configured easy vpn remote on a cisco 1841 and dynamic server easy vpn with virtual tunnel interface on the server (cisco 7200, 12.4.15T14)

    http://www.Cisco.com/en/us/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

    It works with easy vpn remote to the client mode and mode network-extesión, but it doesn't seem to work when I configure mode plus network on the client of the cpe, or when I try to have TWO inside the ez crypto interfaces. On the customer's site, I see two associations of security, but on the server PE site only security SA!

    Without virtual dynamic tunnel interface, dynamic map configuration is ok... This is a limitation of the virtual tunnnel dynamic interface?

    Federica

    If one side is DVTI and the other uses a dynamic map, it does support only 1 SA. If the two end uses DVTI or the two end uses dynamic card then it supports several SAs.

    Here is the note of documentation for your reference:

    Note: Multiple inside interfaces are supported only when the Cisco Easy VPN server and the Cisco Easy VPN client have the same type of Easy VPN configuration. In other words, both must use a Legacy Easy VPN configuration, or both must use a DVTI configuration.

    Here's the URL:

    http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1046365

    Hope that answers your question.

  • iPsec S2S ASA to ASR with VRF using Lo's ADDRESS

    so, I have a solution and then a question about this solution:

    first the solution and the config for any guy in the future, who would need it:

    to configure the ASA VPN to the ASR:

    door-key crypto KEY-SITE-B-DC

    address [asr-ip-address]

    pre-shared key address [address-ip-ASA] key test123

    !

    Crypto ISAKMP-SITE-B-DC isakmp profile

    VRF VPN

    door KEY-SITE-B-DC

    identity function address [address-ip-ASA] 255.255.255.255

    !

    crypto ISAKMP policy 9

    BA aes

    preshared authentication

    Group 2

    lifetime 28800

    !

    card crypto VPN - S2S - address Loopback11

    Map 10 S2S - VPN ipsec-isakmp crypto

    Description # VPN S2S SITE-B-DC ASA #.

    defined by peer [ASA-ip-address]

    game of transformation-TRANS_SET-SITE-B-DC

    PFS group2 Set

    define the profile of isakmp ISAKMP-SITE-B-DC

    match address IPSEC-VPN-ACL_SITE-B-DC

    !

    Crypto ipsec transform-set esp-aes - TRANS_SET-SITE-B-DC esp-sha-hmac

    tunnel mode

    !

    EXIT/ENTRY interface

    Description # BECAUSE RUN US DYNAMIC PROTOCOL BGP (in my case), no matter WHAT INTERFACE COULD BE THE If INPUT/OUTPUT, SO THESE IFs MUST ALSO HAVE THE CRYPTOMAP #.

    S2S - VPN crypto card

    !

    interface Loopback11

    Description # IPSEC TEST #.

    IP 255.255.255.255 [asr-ip-address]

    !

    !

    IPSEC-VPN-ACL_SITE-B-DC extended IP access list

    permit ip host [ASR-LAN-addresses] [ASA-LAN-addresses]

    !

    IP route vrf VPN [ASA-LAN-addresses] 255.255.255.x 8.8.8.8 global name GENERIC-IPSEC-CRYPTO-ROAD (ANYCAST) * the road here is for the traffic is encrypted, the next hop MUST be no recursive road *.

    !

    So now for my question:

    REALLY should be a route with a match on the other than a default route routing table?

    (because it does not work with a route that directs the default route, even when the recursive path pointing to the interface even spefic road made).

    is there any other way to do this? because to point the way to 8.8.8.8, means im my tunnels to be available on the availability of a course of 8.0.0.0 in the RIBS.

    help would be what enjoyed here guys!

    Why not let the router hide the complexity of administration using IPP?

    http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-Rev-RTE-inject.html#GUID-DEBFE993-16DF-4599-946A-1B7A42521C92

    The example is not perfect because of the connection point to point between two routers, but you can understand what IP address as the gateway.

    I suggest also entry of cryptographic cards, the new software. logical interfaces with tunnel protection is the way to go. The problem does not appear here.

Maybe you are looking for