Cisco ASA Site to Site VPN with dynamic IP addresses

Today’s problem is a new customer office opening ahead of their scheduled MPLS installation. We need to connect them back into their VPN via their existing hosted Cisco ASA. The internet connection at the new office is at this point unknown, could be a 4G dongle, could be a satellite or even a DSL connection – or a combination of the three! We have a spare ASA and we are going to create a site to site VPN, despite the fact that the new office IP is unknown or possibly dynamic.

Cisco provide a special kind of crypto map for this challenge called a dynamic crypto map and a special tunnel-group called ‘DefaultL2LGroup’ which catches L2L runnels where the peer IP address cannot be matched. There are ways of ‘steering’ dynamic L2L peers into different tunnel-groups but we only need to use the basics here.

The configuration on the ‘spoke’ end (the one with the dynamic/unknown IP address) is just a standard L2L IPSec tunnel, so we just need the Hub (Fixed IP) end:

Step 1 – Define the interesting traffic (for the NAT Exemption)

object network LOCAL_LAN
 subnet <local LAN ip range>

object network REMOTE_LAN
 subnet <remote LAN ip range>

Step 2 – Configure the NAT exemption

nat (INSIDE,OUTSIDE) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

Step 3 – Configure the phase 1 setup

crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

Step 4 – Configure the phase 2 setup

crypto ipsec ikev1 transform-set MY-SET esp-aes esp-sha-hmac

Step 5 – Configure the tunnel-group

tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key <secret_key>

Step 6 – Configure the Crypto maps

crypto dynamic-map DYNOVPN 10 set ikev1 transform-set MY-SET
crypto dynamic-map DYNOVPN 10 set reverse-route

crypto map VPNMAP 999 ipsec-isakmp dynamic DYNOVPN
crypto map VPNMAP interface outside
This entry was posted in Cisco and tagged , , , . Bookmark the permalink.