Hi,

The current senario is as follows:
ASA 5505 Site A connects to ASA 5505 Site B S2S VPN, both has static IP address.

Now I need to change from ISP so that I can get more internet bandwidth, but the new ISP only has dynamic IP address.

Now I need to change Site B's config to use dynamic IP and still connect to Site A and establish a S2S VPN.

How can I do this?
I want the ASA 5505 to change its IP daily so that the VPN connection is still up even if the ISP at site B changes its IP.
Or a way to do this automatically as I don't have anybody at site B that can do this manually for me.

I hope you can help me out here,

Thank you,
Eldon

this is for routers, but creation of the dynamic peer entires should be similar to what you want to do.

YMMV

In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:

You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses


In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:


Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map.
On the remote router, configure the dynamic crypto map without the use of the peer statement.

With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.

Note:

1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.

2. This works on Cisco IOS router code 12.3 and above

Examples
#
The following example shows a crypto map configuration when IKE will be used to establish the security associations (SAs). In this example, an SA could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2.

The following example shows how to configure a router to perform real-time Domain Name System (DNS) resolution with a remote IPSec peer; that is, the host name of peer is resolved via a DNS lookup right before the router establishes a connection (an IPSec tunnel) with the peer.

The following example shows that the first peer, at IP address 1.1.1.1, is the default peer.

The following example shows that the peer with the host name fred is the default peer.





ref: https://supportforums.cisco.com/thread/343363

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

Hi,

Thank you for the quick reply.
But I need to change only 1 site to dynamic, the other site will stay static.

Current scenario is site A (static IP) site B (static IP)
I want this Site A Head Office (Static IP), site B BO (dynamic IP).

Not both of them dynamic only 1.

Can I send you my current config and you tell me what I need to change on both sides so that I can have s-2-s VPN again after the change.

Again thank you for the help,

Eldon

Casseres, since you have ASA, the solution for you is NEM (Network Extension Mode). It allows one ASA to work as the server and accept dynamic connections. The other ASA has a pre-configured server address to which it tries to establish a tunnel no matter what it's current dynamic IP is. This still creates a site to site VPN.
parts of config:
Client:


Server:

_________________
-- there is no limit to amusement ---

Thank you again for the help, but I want help connecting the 2 ASA to each other, 1 ASA has a static IP and the other has a dynamic IP.

At this moment I am not concerned with a client connecting to the using VPN client, but connecting the 2 ASA.

Thank you,

Eldon

Setting up an ASA as an EZVPN client like zavrik pointed out effectively turns the firewall into a mobile hardware client that phones home to a static peer and establishes a tunnel. You aren't using anything like the IPSec client software on endpoints.

The first ASA will be configured as the "server" and will have the static IP.

The second ASA will be configured as the "client" and can use dynamic IP addresses but will always phone home to the "server" at the statically configured peer address.

_________________
The Cubicle Wizard
http://cubiclewizard.blogspot.com/

Casseres, I gave you code for configuration of 2 ASAs. Where do you see clients/VPN clients and such??

_________________
-- there is no limit to amusement ---

Hi Zavrik,

I saw in the clients, vpnclient statements, I thought that it was connection for a VPN Client.

Can you look at my cureent config and sees what I need to change to have them connect?

Thanks again for the help,

Eldon

Eldon,
I posted you the exact configuration that you need to create on your two ASA's
Use it

_________________
-- there is no limit to amusement ---