Right. Sorry if I skipped over the dynamic map. I can't get a config right now, but I'm pretty sure all that is needed on the static side is the dynamic map/regular crypto map, the DefaultL2L tunnel group for PSK, and then the nat 0 ACL if desired. The unit with the dynamic IP will not look any different than a normal static to static tunnel setup.
-----Original Message----- From: Scott Granados [mailto:[email protected]] Sent: Friday, January 07, 2011 1:50 PM To: Eric Girard Cc: [email protected] Subject: Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer If you had a config example that would be great. My understanding though is you'd set up a dynamic map, use the default tunnel group an matching policy. Makes sense. On Jan 7, 2011, at 9:07 AM, Eric Girard wrote: > Scott, > At least as far as the tunnel group is concerned, your PSK goes into > the built-in DefaultL2LGroup tunnel group. You still need to have the > appropriate NAT exemptions if needed, but the interesting traffic on the core > site is whatever the dynamic side asks for during tunnel setup. I dig out a > working config with an ASA at the core and a PIX on the dynamic side if > needed. > > Eric > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Robert Maier > Sent: Friday, January 07, 2011 11:48 AM > To: [email protected] > Subject: Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer > > then you have to use a dynamic crypto map > > Am 07.01.2011 01:40, schrieb Scott Granados: >> Actually, the branch is an old Pix. >> >> We also have an environment using a Juniper SRX so I'm not sure this is a >> good fit. >> >> Thanks >> Scott >> >> On Jan 6, 2011, at 4:34 PM, schilling wrote: >> >>> You have ASA/IOS routers on the branch office, right? >>> >>> Cisco Easy VPN Remote Client might be what you are looking for. You >>> can use client mode or network extension mode according to your need. >>> >>> http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html >>> >>> Schilling >>> >>> On Thu, Jan 6, 2011 at 6:46 PM, Scott Granados<[email protected]> >>> wrote: >>>> Hi, I have a relatively simple question but the examples I find on >>>> cisco.com don't seem to do much but confuse me.:) >>>> >>>> Here's the setup. I have a Cisco ASA with several site to site VPN >>>> tunnels terminated to branch offices. All to date have used static IP >>>> addressing on both sides so using the tunnel-group a.b.c.d type l2l has >>>> been very simple. We now have a branch with PPPOE DSL and dynamic >>>> addressing. Could someone provide an example of the ASA side how to >>>> accept a VPN site to site session from a remote device using a dynamic IP. >>>> >>>> What do you use instead of the target tunnel-group / peer address entry? >>>> >>>> Presently the ASA is running 8.2.x code using a normal dynamic map for >>>> remote clients and the standard crypto map entries for each peer. I assume >>>> it's some variation on the dynamic map theme but not quite sure how to >>>> make that work. >>>> >>>> Any pointers would be appreciated. >>>> >>>> Thanks >>>> Scott >>>> >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list [email protected] >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >> >> _______________________________________________ >> cisco-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
