Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 8.x to ASA 8.x Site (static ip) to Site (dynamic ip) tunnelconfiguration

Reply
Thread Tools

PIX 8.x to ASA 8.x Site (static ip) to Site (dynamic ip) tunnelconfiguration

 
 
JoeG
Guest
Posts: n/a
 
      02-20-2008
Hi,

I have a PIX 515e with OS 8.x (central static IP) and an ASA 5505 with
OS 8.x (remote dynamic IP). We are trying to build a tunnel between
the office and a home user. The office has a static IP and currently
accepts Cisco VPN client (ipsec) connections without a problem.

I have tried building a tunnel using the ASDM on both ends without
much success. I have been able to build it with a typical static Site
to Site tunnel, but as soon as the IP changes on the home user side,
it obviously drops.

I can provide the configurations if necesary, but can anyone provide a
sample base config for both ends or provide any tips? I tried
folowing the Cisco guides that I could find, but they are all for 7.x
on the central PIX and 6.x on a remote PIX 501.

Any help is greatly appreciated.

Thank you!
-Joe
 
Reply With Quote
 
 
 
 
Andrey Tarasov
Guest
Posts: n/a
 
      02-21-2008
JoeG wrote:

> I have a PIX 515e with OS 8.x (central static IP) and an ASA 5505 with
> OS 8.x (remote dynamic IP). We are trying to build a tunnel between
> the office and a home user. The office has a static IP and currently
> accepts Cisco VPN client (ipsec) connections without a problem.
>
> I have tried building a tunnel using the ASDM on both ends without
> much success. I have been able to build it with a typical static Site
> to Site tunnel, but as soon as the IP changes on the home user side,
> it obviously drops.
>
> I can provide the configurations if necesary, but can anyone provide a
> sample base config for both ends or provide any tips? I tried
> folowing the Cisco guides that I could find, but they are all for 7.x
> on the central PIX and 6.x on a remote PIX 501.
>
> Any help is greatly appreciated.


Have you looked at EasyVPN?

Regards,
Andrey.
 
Reply With Quote
 
 
 
 
JoeG
Guest
Posts: n/a
 
      02-21-2008
On Feb 20, 9:46*pm, Andrey Tarasov <(E-Mail Removed)> wrote:
> JoeG wrote:
> > I have a PIX 515e with OS 8.x (central static IP) and an ASA 5505 with
> > OS 8.x (remote dynamic IP). *We are trying to build a tunnel between
> > the office and a home user. *The office has a static IP and currently
> > accepts Cisco VPN client (ipsec) connections without a problem.

>
> > I have tried building a tunnel using the ASDM on both ends without
> > much success. *I have been able to build it with a typical static Site
> > to Site tunnel, but as soon as the IP changes on the home user side,
> > it obviously drops.

>
> > I can provide the configurations if necesary, but can anyone provide a
> > sample base config for both ends or provide any tips? *I tried
> > folowing the Cisco guides that I could find, but they are all for 7.x
> > on the central PIX and 6.x on a remote PIX 501.

>
> > Any help is greatly appreciated.

>
> Have you looked at EasyVPN?
>
> Regards,
> Andrey.- Hide quoted text -
>
> - Show quoted text -


Hi, Yes. Actually that's how it is working now. Unfortunately it
works great..... EXCEPT .. you can't configure any other tunnels. We
need to have it set up so you can tunnel into the remote ASA with
Cisco VPN as well.

Thanks
 
Reply With Quote
 
Andrey Tarasov
Guest
Posts: n/a
 
      02-21-2008
JoeG wrote:

> Hi, Yes. Actually that's how it is working now. Unfortunately it
> works great..... EXCEPT .. you can't configure any other tunnels. We
> need to have it set up so you can tunnel into the remote ASA with
> Cisco VPN as well.


Hmm... Since remote ASA has dynamic IP, how exactly does RA VPN work in
that case?
I'd say if you want to have L2L tunnels and RA at remote ASA, static IP
is required.

Regards,
Andrey.
 
Reply With Quote
 
JoeG
Guest
Posts: n/a
 
      02-21-2008
On Feb 21, 1:18*am, Andrey Tarasov <(E-Mail Removed)> wrote:
> JoeG wrote:
> > Hi, Yes. *Actually that's how it is working now. *Unfortunately it
> > works great..... EXCEPT .. you can't configure any other tunnels. *We
> > need to have it set up so you can tunnel into the remote ASA with
> > Cisco VPN as well.

>
> Hmm... Since remote ASA has dynamic IP, how exactly does RA VPN work in
> that case?
> I'd say if you want to have L2L tunnels and RA at remote ASA, static IP
> is required.
>
> Regards,
> Andrey.


I acutally had that portion working with DynDNS and a hostname. We
just can't get the L2L site-to-site tunnel up.
 
Reply With Quote
 
Andrey Tarasov
Guest
Posts: n/a
 
      02-22-2008
JoeG wrote:

>>> Hi, Yes. *Actually that's how it is working now. *Unfortunately it
>>> works great..... EXCEPT .. you can't configure any other tunnels. *We
>>> need to have it set up so you can tunnel into the remote ASA with
>>> Cisco VPN as well.

>> Hmm... Since remote ASA has dynamic IP, how exactly does RA VPN work in
>> that case?
>> I'd say if you want to have L2L tunnels and RA at remote ASA, static IP
>> is required.

>
> I acutally had that portion working with DynDNS and a hostname.


Ah, good call!

> We just can't get the L2L site-to-site tunnel up.


If I remember correctly, 5510 and above can be EasyVPN client and server
at the same time. Another (cheaper option is to talk to ISP and see
if they offer static IP.

Regards,
Andrey.
 
Reply With Quote
 
JoeG
Guest
Posts: n/a
 
      02-22-2008
On Feb 21, 8:10*pm, Andrey Tarasov <(E-Mail Removed)> wrote:
> JoeG wrote:
> >>> Hi, Yes. *Actually that's how it is working now. *Unfortunately it
> >>> works great..... EXCEPT .. you can't configure any other tunnels. *We
> >>> need to have it set up so you can tunnel into the remote ASA with
> >>> Cisco VPN as well.
> >> Hmm... Since remote ASA has dynamic IP, how exactly does RA VPN work in
> >> that case?
> >> I'd say if you want to have L2L tunnels and RA at remote ASA, static IP
> >> is required.

>
> > I acutally had that portion working with DynDNS and a hostname.

>
> Ah, good call!
>
> > We just can't get the L2L site-to-site tunnel up.

>
> If I remember correctly, 5510 and above can be EasyVPN client and server
> at the same time. Another (cheaper option is to talk to ISP and see
> if they offer static IP.
>
> Regards,
> Andrey.


Unfortunately it's an ASA 5505 ... and the ISP is a cable company and
they only offer static IPs to business-class plans. The cheapest of
those is like $200/mo... (the remote user is a residence)
 
Reply With Quote
 
Andrey Tarasov
Guest
Posts: n/a
 
      02-22-2008
JoeG wrote:

> Unfortunately it's an ASA 5505 ... and the ISP is a cable company and
> they only offer static IPs to business-class plans. The cheapest of
> those is like $200/mo... (the remote user is a residence)


Here you go. ASA5510-BUN-K9 can be obtained for ~$2300 and 5505-10 for
about ~$400. Question - how soon will you get break even by buying 5510
and not paying for business-class plan?

Regards,
Andrey.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA 5505 site-site VPN - other site dynamic? SteveB Cisco 0 03-26-2009 01:48 PM
Redundant site to site vpn pix/asa v7.2.x jackwik@gmail.com Cisco 0 02-02-2008 05:03 PM
IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Tilman Schmidt Cisco 0 01-24-2008 10:49 AM
site to site VPN on DMZ and outside pix/asa rel 7.x ivan@netvision Cisco 0 08-16-2007 08:17 PM
ASA 5505 as hardware vpn client to PIX 501 or ASA 5505 with network extension mode activated bjorn@kumlait.se Cisco 1 06-17-2007 12:43 PM



Advertisments