Two external ips (IPSEC problem)

Hi,

I have an ASA 5510 in our central office that connects our other offices around the country (The smaller offices has ASA 5505:s). All but one office is on static public ips, which has a dynamic public ip.

I do site-to-site tunnels to all the offices but i have a problem with the dynamic one.

The dynamic tunnel has it's own external ip in the 5510 in the CO, cause i've understood that's the only way to do dynamic tunnels in ASA. This causes a problem since the default route is to another interface (the main external adress of the asa). I tried to add a static route for the current dynamic ip to the gateway of the second interface and that brought the tunnel up, but i don't like having to add a new static route every time the ip changes :-)

Does anyone have any good ideas how to solve this?

I have access to the router (cisco) the CO-FW is connected to and i have several public IPs left to use if this will help.

Thanks in advance, Alexander

Reply to
Alexander Rigbo
Loading thread data ...

Hello,

I do not believe that the following is actually a requirement. What ASA code version are you using?

I have built site-to-site tunnels and dynamic remote access VPN tunnels terminating on same ASA interface and using the same public IP address as the peer address.

Have you already tried to use the same external IP address used for your site-to-site tunnels on the CO 5510 and it does not work?

Reply to
jrguent

Hi,

I'm not trying to set up dynamic remote access VPN, but a dynamic Site- to-site vpn.

Yes.

Thanks for your answer!

Reply to
Alexander Rigbo

HQ-PIX: tunnel-group type ipsec-l2l tunnel-group type ipsec-l2l tunnel-group type ipsec-l2l tunnel-group Default-L2L type ipsec-l2l description Used for the only one dynamic IP

Have fun!

Wrong. Remove this.

Reply to
Lutz Donnerhacke

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.