Search this Blog

Thursday, July 8, 2010

How do we create a L2L IPSEC on ASA (8.3)?

We have a Cisco ASA(running 8.3) and a cisco router( which supports IPSEC vpn) and the ASA has a static internet address, whilst the router has a dynamic.If we create a L2L IPSec tunnel between the two how would this work?

Can we use a solution such as dynamic DNS and then use that DNS name as the Tunnel Group name and the ASA will do a DNS lookup to see if it matches any phase 1 packets from a peer matching that ip. Can this be done on some cisco routers?

Does the ASA accept all connections from any peer address like it does with a RA tunnel?

It is suggested to use certificates + dynamic map in this case. Same way you would do in case of two routers.You can match the certifcate to a particular tunnel group (by OU) or tunnel group matching + certificate maps.You can apply match on dynamid crypto map to match the proxy identities.

For DNS resolution - it has not been implemented.

Please click here for more information (requires Cisco login)

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */