Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. We have a handful of remote sites that use broadband cards as a mechanism to bypass failed T1s so they get dynamic addresses as well. ASA-Linksys_w_broadband -Internet--- ASA_VPN_termcore_network I'll send you the appropriate snippets if you wish directly and post it here too. I think the key was ( not intended pun ) to use pre-shared keys for the tunnel The remote end certainly knows about the centralized VPN core device and that can have a static entry but the core of course can't. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
then you have to use a dynamic crypto map Am 07.01.2011 01:40, schrieb Scott Granados: Actually, the branch is an old Pix. We also have an environment using a Juniper SRX so I'm not sure this is a good fit. Thanks Scott On Jan 6, 2011, at 4:34 PM, schilling wrote: You have ASA/IOS routers on the branch office, right? Cisco Easy VPN Remote Client might be what you are looking for. You can use client mode or network extension mode according to your need. http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html Schilling On Thu, Jan 6, 2011 at 6:46 PM, Scott Granadossc...@granados-llc.net wrote: Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
Scott, At least as far as the tunnel group is concerned, your PSK goes into the built-in DefaultL2LGroup tunnel group. You still need to have the appropriate NAT exemptions if needed, but the interesting traffic on the core site is whatever the dynamic side asks for during tunnel setup. I dig out a working config with an ASA at the core and a PIX on the dynamic side if needed. Eric -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Robert Maier Sent: Friday, January 07, 2011 11:48 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer then you have to use a dynamic crypto map Am 07.01.2011 01:40, schrieb Scott Granados: Actually, the branch is an old Pix. We also have an environment using a Juniper SRX so I'm not sure this is a good fit. Thanks Scott On Jan 6, 2011, at 4:34 PM, schilling wrote: You have ASA/IOS routers on the branch office, right? Cisco Easy VPN Remote Client might be what you are looking for. You can use client mode or network extension mode according to your need. http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html Schilling On Thu, Jan 6, 2011 at 6:46 PM, Scott Granadossc...@granados-llc.net wrote: Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
If you had a config example that would be great. My understanding though is you'd set up a dynamic map, use the default tunnel group an matching policy. Makes sense. On Jan 7, 2011, at 9:07 AM, Eric Girard wrote: Scott, At least as far as the tunnel group is concerned, your PSK goes into the built-in DefaultL2LGroup tunnel group. You still need to have the appropriate NAT exemptions if needed, but the interesting traffic on the core site is whatever the dynamic side asks for during tunnel setup. I dig out a working config with an ASA at the core and a PIX on the dynamic side if needed. Eric -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Robert Maier Sent: Friday, January 07, 2011 11:48 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer then you have to use a dynamic crypto map Am 07.01.2011 01:40, schrieb Scott Granados: Actually, the branch is an old Pix. We also have an environment using a Juniper SRX so I'm not sure this is a good fit. Thanks Scott On Jan 6, 2011, at 4:34 PM, schilling wrote: You have ASA/IOS routers on the branch office, right? Cisco Easy VPN Remote Client might be what you are looking for. You can use client mode or network extension mode according to your need. http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html Schilling On Thu, Jan 6, 2011 at 6:46 PM, Scott Granadossc...@granados-llc.net wrote: Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
Right. Sorry if I skipped over the dynamic map. I can't get a config right now, but I'm pretty sure all that is needed on the static side is the dynamic map/regular crypto map, the DefaultL2L tunnel group for PSK, and then the nat 0 ACL if desired. The unit with the dynamic IP will not look any different than a normal static to static tunnel setup. -Original Message- From: Scott Granados [mailto:sc...@granados-llc.net] Sent: Friday, January 07, 2011 1:50 PM To: Eric Girard Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer If you had a config example that would be great. My understanding though is you'd set up a dynamic map, use the default tunnel group an matching policy. Makes sense. On Jan 7, 2011, at 9:07 AM, Eric Girard wrote: Scott, At least as far as the tunnel group is concerned, your PSK goes into the built-in DefaultL2LGroup tunnel group. You still need to have the appropriate NAT exemptions if needed, but the interesting traffic on the core site is whatever the dynamic side asks for during tunnel setup. I dig out a working config with an ASA at the core and a PIX on the dynamic side if needed. Eric -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Robert Maier Sent: Friday, January 07, 2011 11:48 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer then you have to use a dynamic crypto map Am 07.01.2011 01:40, schrieb Scott Granados: Actually, the branch is an old Pix. We also have an environment using a Juniper SRX so I'm not sure this is a good fit. Thanks Scott On Jan 6, 2011, at 4:34 PM, schilling wrote: You have ASA/IOS routers on the branch office, right? Cisco Easy VPN Remote Client might be what you are looking for. You can use client mode or network extension mode according to your need. http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html Schilling On Thu, Jan 6, 2011 at 6:46 PM, Scott Granadossc...@granados-llc.net wrote: Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Site to Site VPN using ASA and far end with dynamic peer
Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
You have ASA/IOS routers on the branch office, right? Cisco Easy VPN Remote Client might be what you are looking for. You can use client mode or network extension mode according to your need. http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html Schilling On Thu, Jan 6, 2011 at 6:46 PM, Scott Granados sc...@granados-llc.net wrote: Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
Actually, the branch is an old Pix. We also have an environment using a Juniper SRX so I'm not sure this is a good fit. Thanks Scott On Jan 6, 2011, at 4:34 PM, schilling wrote: You have ASA/IOS routers on the branch office, right? Cisco Easy VPN Remote Client might be what you are looking for. You can use client mode or network extension mode according to your need. http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html Schilling On Thu, Jan 6, 2011 at 6:46 PM, Scott Granados sc...@granados-llc.net wrote: Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/