Today’s problem is a new customer office opening ahead of their scheduled MPLS installation. We need to connect them back into their VPN via their existing hosted Cisco ASA. The internet connection at the new office is at this point unknown, could be a 4G dongle, could be a satellite or even a DSL connection – or a combination of the three! We have a spare ASA and we are going to create a site to site VPN, despite the fact that the new office IP is unknown or possibly dynamic.
Cisco provide a special kind of crypto map for this challenge called a dynamic crypto map and a special tunnel-group called ‘DefaultL2LGroup’ which catches L2L runnels where the peer IP address cannot be matched. There are ways of ‘steering’ dynamic L2L peers into different tunnel-groups but we only need to use the basics here.
The configuration on the ‘spoke’ end (the one with the dynamic/unknown IP address) is just a standard L2L IPSec tunnel, so we just need the Hub (Fixed IP) end:
Step 1 – Define the interesting traffic (for the NAT Exemption)
object network LOCAL_LAN subnet <local LAN ip range> object network REMOTE_LAN subnet <remote LAN ip range>
Step 2 – Configure the NAT exemption
nat (INSIDE,OUTSIDE) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN
Step 3 – Configure the phase 1 setup
crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400
Step 4 – Configure the phase 2 setup
crypto ipsec ikev1 transform-set MY-SET esp-aes esp-sha-hmac
Step 5 – Configure the tunnel-group
tunnel-group DefaultL2LGroup ipsec-attributes ikev1 pre-shared-key <secret_key>
Step 6 – Configure the Crypto maps
crypto dynamic-map DYNOVPN 10 set ikev1 transform-set MY-SET crypto dynamic-map DYNOVPN 10 set reverse-route crypto map VPNMAP 999 ipsec-isakmp dynamic DYNOVPN crypto map VPNMAP interface outside