Site to Site VPN with PIX/Cisco 800 series router - One side has dynamic IP
Posted on 2009-02-13
I'm looking for a config example of how to setup a Site to Site VPN using IPSec and Pre-Shared key, where one side uses a dynamic ip address. The PIX uses a static address, however the Cisco 800 series is used with a dynamic ip address.
The default VPN site to site tunnel on the PIX requires a Peer IP address, which I cannot supply due to having dynamic address at the other side.
I read one other post stating that the PIX requires a dynamic-map instead of a peer-ip, but I cannot find any actual working examples.
Your help would be much appreciated!
Below is an example config that is used for an existing tunnel working over fixed IP. If I can modify one of these using IOS to work using dynamic-map, this would be ideal.
access-list outside_cryptomap_141 extended permit ip 192.168.1.0 255.255.255.0 1
crypto map outside_map 141 match address outside_cryptomap_141
crypto map outside_map 141 set pfs
crypto map outside_map 141 set peer x.x.x.x
crypto map outside_map 141 set transform-set ESP-3DES-SHA
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
Cisco 800 side
crypto isakmp policy 1
crypto isakmp key * address x.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.x
set peer x.x.x.x
set security-association lifetime seconds 28800
set transform-set ESP-3DES-SHA
set pfs group2
match address 102
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.104.0 0.0.0.255 192.168.1.0 0.0.0.255