PIX 8.x to ASA 8.x Site (static ip) to Site (dynamic ip) tunnelconfiguration

Discussion in 'Cisco' started by JoeG, Feb 20, 2008.

  1. JoeG

    JoeG Guest

    Hi,

    I have a PIX 515e with OS 8.x (central static IP) and an ASA 5505 with
    OS 8.x (remote dynamic IP). We are trying to build a tunnel between
    the office and a home user. The office has a static IP and currently
    accepts Cisco VPN client (ipsec) connections without a problem.

    I have tried building a tunnel using the ASDM on both ends without
    much success. I have been able to build it with a typical static Site
    to Site tunnel, but as soon as the IP changes on the home user side,
    it obviously drops.

    I can provide the configurations if necesary, but can anyone provide a
    sample base config for both ends or provide any tips? I tried
    folowing the Cisco guides that I could find, but they are all for 7.x
    on the central PIX and 6.x on a remote PIX 501.

    Any help is greatly appreciated.

    Thank you!
    -Joe
     
    JoeG, Feb 20, 2008
    #1
    1. Advertising

  2. JoeG wrote:

    > I have a PIX 515e with OS 8.x (central static IP) and an ASA 5505 with
    > OS 8.x (remote dynamic IP). We are trying to build a tunnel between
    > the office and a home user. The office has a static IP and currently
    > accepts Cisco VPN client (ipsec) connections without a problem.
    >
    > I have tried building a tunnel using the ASDM on both ends without
    > much success. I have been able to build it with a typical static Site
    > to Site tunnel, but as soon as the IP changes on the home user side,
    > it obviously drops.
    >
    > I can provide the configurations if necesary, but can anyone provide a
    > sample base config for both ends or provide any tips? I tried
    > folowing the Cisco guides that I could find, but they are all for 7.x
    > on the central PIX and 6.x on a remote PIX 501.
    >
    > Any help is greatly appreciated.


    Have you looked at EasyVPN?

    Regards,
    Andrey.
     
    Andrey Tarasov, Feb 21, 2008
    #2
    1. Advertising

  3. JoeG

    JoeG Guest

    On Feb 20, 9:46 pm, Andrey Tarasov <> wrote:
    > JoeG wrote:
    > > I have a PIX 515e with OS 8.x (central static IP) and an ASA 5505 with
    > > OS 8.x (remote dynamic IP).  We are trying to build a tunnel between
    > > the office and a home user.  The office has a static IP and currently
    > > accepts Cisco VPN client (ipsec) connections without a problem.

    >
    > > I have tried building a tunnel using the ASDM on both ends without
    > > much success.  I have been able to build it with a typical static Site
    > > to Site tunnel, but as soon as the IP changes on the home user side,
    > > it obviously drops.

    >
    > > I can provide the configurations if necesary, but can anyone provide a
    > > sample base config for both ends or provide any tips?  I tried
    > > folowing the Cisco guides that I could find, but they are all for 7.x
    > > on the central PIX and 6.x on a remote PIX 501.

    >
    > > Any help is greatly appreciated.

    >
    > Have you looked at EasyVPN?
    >
    > Regards,
    > Andrey.- Hide quoted text -
    >
    > - Show quoted text -


    Hi, Yes. Actually that's how it is working now. Unfortunately it
    works great..... EXCEPT .. you can't configure any other tunnels. We
    need to have it set up so you can tunnel into the remote ASA with
    Cisco VPN as well.

    Thanks
     
    JoeG, Feb 21, 2008
    #3
  4. JoeG wrote:

    > Hi, Yes. Actually that's how it is working now. Unfortunately it
    > works great..... EXCEPT .. you can't configure any other tunnels. We
    > need to have it set up so you can tunnel into the remote ASA with
    > Cisco VPN as well.


    Hmm... Since remote ASA has dynamic IP, how exactly does RA VPN work in
    that case?
    I'd say if you want to have L2L tunnels and RA at remote ASA, static IP
    is required.

    Regards,
    Andrey.
     
    Andrey Tarasov, Feb 21, 2008
    #4
  5. JoeG

    JoeG Guest

    On Feb 21, 1:18 am, Andrey Tarasov <> wrote:
    > JoeG wrote:
    > > Hi, Yes.  Actually that's how it is working now.  Unfortunately it
    > > works great..... EXCEPT .. you can't configure any other tunnels.  We
    > > need to have it set up so you can tunnel into the remote ASA with
    > > Cisco VPN as well.

    >
    > Hmm... Since remote ASA has dynamic IP, how exactly does RA VPN work in
    > that case?
    > I'd say if you want to have L2L tunnels and RA at remote ASA, static IP
    > is required.
    >
    > Regards,
    > Andrey.


    I acutally had that portion working with DynDNS and a hostname. We
    just can't get the L2L site-to-site tunnel up.
     
    JoeG, Feb 21, 2008
    #5
  6. JoeG wrote:

    >>> Hi, Yes.  Actually that's how it is working now.  Unfortunately it
    >>> works great..... EXCEPT .. you can't configure any other tunnels.  We
    >>> need to have it set up so you can tunnel into the remote ASA with
    >>> Cisco VPN as well.

    >> Hmm... Since remote ASA has dynamic IP, how exactly does RA VPN work in
    >> that case?
    >> I'd say if you want to have L2L tunnels and RA at remote ASA, static IP
    >> is required.

    >
    > I acutally had that portion working with DynDNS and a hostname.


    Ah, good call!

    > We just can't get the L2L site-to-site tunnel up.


    If I remember correctly, 5510 and above can be EasyVPN client and server
    at the same time. Another (cheaper :) option is to talk to ISP and see
    if they offer static IP.

    Regards,
    Andrey.
     
    Andrey Tarasov, Feb 22, 2008
    #6
  7. JoeG

    JoeG Guest

    On Feb 21, 8:10 pm, Andrey Tarasov <> wrote:
    > JoeG wrote:
    > >>> Hi, Yes.  Actually that's how it is working now.  Unfortunately it
    > >>> works great..... EXCEPT .. you can't configure any other tunnels.  We
    > >>> need to have it set up so you can tunnel into the remote ASA with
    > >>> Cisco VPN as well.
    > >> Hmm... Since remote ASA has dynamic IP, how exactly does RA VPN work in
    > >> that case?
    > >> I'd say if you want to have L2L tunnels and RA at remote ASA, static IP
    > >> is required.

    >
    > > I acutally had that portion working with DynDNS and a hostname.

    >
    > Ah, good call!
    >
    > > We just can't get the L2L site-to-site tunnel up.

    >
    > If I remember correctly, 5510 and above can be EasyVPN client and server
    > at the same time. Another (cheaper :) option is to talk to ISP and see
    > if they offer static IP.
    >
    > Regards,
    > Andrey.


    Unfortunately it's an ASA 5505 ... and the ISP is a cable company and
    they only offer static IPs to business-class plans. The cheapest of
    those is like $200/mo... (the remote user is a residence)
     
    JoeG, Feb 22, 2008
    #7
  8. JoeG wrote:

    > Unfortunately it's an ASA 5505 ... and the ISP is a cable company and
    > they only offer static IPs to business-class plans. The cheapest of
    > those is like $200/mo... (the remote user is a residence)


    Here you go. ASA5510-BUN-K9 can be obtained for ~$2300 and 5505-10 for
    about ~$400. Question - how soon will you get break even by buying 5510
    and not paying for business-class plan?

    Regards,
    Andrey.
     
    Andrey Tarasov, Feb 22, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. c
    Replies:
    2
    Views:
    858
  2. Hans-Peter Walter
    Replies:
    3
    Views:
    1,213
    Joe Bloggs
    Jan 21, 2004
  3. Replies:
    2
    Views:
    3,254
  4. SteveB
    Replies:
    0
    Views:
    3,378
    SteveB
    Mar 26, 2009
  5. ahs
    Replies:
    1
    Views:
    901
Loading...

Share This Page