ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
Casseres
New Member
Posts:
4
Joined:
Tue Feb 28, 2012 4:41 pm

Connect ASA 5505 S2S VPN guidance

Tue Feb 28, 2012 4:58 pm

Hi,

The current senario is as follows:
ASA 5505 Site A connects to ASA 5505 Site B S2S VPN, both has static IP address.

Now I need to change from ISP so that I can get more internet bandwidth, but the new ISP only has dynamic IP address.

Now I need to change Site B's config to use dynamic IP and still connect to Site A and establish a S2S VPN.

How can I do this?
I want the ASA 5505 to change its IP daily so that the VPN connection is still up even if the ISP at site B changes its IP.
Or a way to do this automatically as I don't have anybody at site B that can do this manually for me.

I hope you can help me out here,

Thank you,
Eldon

User avatar
ristau5741
Post Whore
Posts:
10226
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: Connect ASA 5505 S2S VPN guidance

Wed Feb 29, 2012 12:40 pm

this is for routers, but creation of the dynamic peer entires should be similar to what you want to do.

YMMV

In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:

You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses


In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:


Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map.
On the remote router, configure the dynamic crypto map without the use of the peer statement.

With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.

Note:

1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.

2. This works on Cisco IOS router code 12.3 and above

Examples
#
The following example shows a crypto map configuration when IKE will be used to establish the security associations (SAs). In this example, an SA could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2.
Code: Select all
#
 crypto map mymap 10 ipsec-isakmp
#
 match address 101
#
 set transform-set my_t_set1
#
 set peer 10.0.0.1
#
 set peer 10.0.0.2
#
#

The following example shows how to configure a router to perform real-time Domain Name System (DNS) resolution with a remote IPSec peer; that is, the host name of peer is resolved via a DNS lookup right before the router establishes a connection (an IPSec tunnel) with the peer.
Code: Select all
#
crypto map secure_b 10 ipsec-isakmp
#
  match address 140
#
  set peer b.cisco.com dynamic
#
  set transform-set xset
#
interface serial1
#
  ip address 30.0.0.1
#
  crypto map secure_b
#
access-list 140 permit ...
#
#

The following example shows that the first peer, at IP address 1.1.1.1, is the default peer.
Code: Select all
#
crypto map tohub 1 ipsec-isakmp
#
 set peer 1.1.1.1 default
#
 set peer 2.2.2.2
#
#

The following example shows that the peer with the host name fred is the default peer.
Code: Select all
#
crypto map tohub 2 ipsec-isakmp
#
 set peer fred dynamic default
#
 set peer barney dynamic





ref: https://supportforums.cisco.com/thread/343363
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

Casseres
New Member
Posts:
4
Joined:
Tue Feb 28, 2012 4:41 pm

Re: Connect ASA 5505 S2S VPN guidance

Wed Feb 29, 2012 5:32 pm

Hi,

Thank you for the quick reply.
But I need to change only 1 site to dynamic, the other site will stay static.

Current scenario is site A (static IP) site B (static IP)
I want this Site A Head Office (Static IP), site B BO (dynamic IP).

Not both of them dynamic only 1.

Can I send you my current config and you tell me what I need to change on both sides so that I can have s-2-s VPN again after the change.

Again thank you for the help,

Eldon

User avatar
zavrik
New Member
Posts:
5
Joined:
Mon Feb 13, 2012 11:23 pm
Certs:
CCN-something

Re: Connect ASA 5505 S2S VPN guidance

Thu Mar 01, 2012 7:07 am

Casseres, since you have ASA, the solution for you is NEM (Network Extension Mode). It allows one ASA to work as the server and accept dynamic connections. The other ASA has a pre-configured server address to which it tries to establish a tunnel no matter what it's current dynamic IP is. This still creates a site to site VPN.
parts of config:
Client:
Code: Select all
vpnclient server X.X.X.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup Blah password *****
vpnclient username blah password *****
vpnclient enable


Server:
Code: Select all
tunnel-group Blah type remote-access
tunnel-group Blah general-attributes
 default-group-policy blah
tunnel-group Blah ipsec-attributes
 pre-shared-key *****

username blah password **********
username blah attributes
 group-lock value Blah-policy

group-policy Blah-policy internal
group-policy Blah-policy attributes
 vpn-simultaneous-logins 10
 vpn-filter value access-list
 vpn-tunnel-protocol IPSec
 pfs enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel-access-list
 nem enable
-- there is no limit to amusement ---

Casseres
New Member
Posts:
4
Joined:
Tue Feb 28, 2012 4:41 pm

Re: Connect ASA 5505 S2S VPN guidance

Thu Mar 01, 2012 7:50 am

Thank you again for the help, but I want help connecting the 2 ASA to each other, 1 ASA has a static IP and the other has a dynamic IP.

At this moment I am not concerned with a client connecting to the using VPN client, but connecting the 2 ASA.

Thank you,

Eldon

rc172
Member
Posts:
213
Joined:
Sun Apr 17, 2011 3:28 pm
Certs:
CCSP/CCNP:Security GIAC GPEN

Re: Connect ASA 5505 S2S VPN guidance

Thu Mar 01, 2012 12:42 pm

Setting up an ASA as an EZVPN client like zavrik pointed out effectively turns the firewall into a mobile hardware client that phones home to a static peer and establishes a tunnel. You aren't using anything like the IPSec client software on endpoints.

The first ASA will be configured as the "server" and will have the static IP.

The second ASA will be configured as the "client" and can use dynamic IP addresses but will always phone home to the "server" at the statically configured peer address.
The Cubicle Wizard
http://cubiclewizard.blogspot.com/

User avatar
zavrik
New Member
Posts:
5
Joined:
Mon Feb 13, 2012 11:23 pm
Certs:
CCN-something

Re: Connect ASA 5505 S2S VPN guidance

Fri Mar 02, 2012 5:21 am

Casseres, I gave you code for configuration of 2 ASAs. Where do you see clients/VPN clients and such??
-- there is no limit to amusement ---

Casseres
New Member
Posts:
4
Joined:
Tue Feb 28, 2012 4:41 pm

Re: Connect ASA 5505 S2S VPN guidance

Fri Mar 02, 2012 10:44 am

Hi Zavrik,

I saw in the clients, vpnclient statements, I thought that it was connection for a VPN Client.

Can you look at my cureent config and sees what I need to change to have them connect?

Thanks again for the help,

Eldon

User avatar
zavrik
New Member
Posts:
5
Joined:
Mon Feb 13, 2012 11:23 pm
Certs:
CCN-something

Re: Connect ASA 5505 S2S VPN guidance

Wed Mar 07, 2012 7:05 am

Eldon,
I posted you the exact configuration that you need to create on your two ASA's :)
Use it :)
-- there is no limit to amusement ---

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 23 guests

      cron