Site to Site VPN with PIX/Cisco 800 series router - One side has dynamic IP

Posted on 2009-02-13
Last Modified: 2012-05-06

I'm looking for a config example of how to setup a Site to Site VPN using IPSec and Pre-Shared key, where one side uses a dynamic ip address.  The PIX uses a static address, however the Cisco 800 series is used with a dynamic ip address.

The default VPN site to site tunnel on the PIX requires a Peer IP address, which I cannot supply due to having dynamic address at the other side.

I read one other post stating that the PIX requires a dynamic-map instead of a peer-ip, but I cannot find any actual working examples.

Your help would be much appreciated!

Below is an example config that is used for an existing tunnel working over fixed IP.  If I can modify one of these using IOS to work using dynamic-map, this would be ideal.

PIX side

access-list outside_cryptomap_141 extended permit ip 1

crypto map outside_map 141 match address outside_cryptomap_141
crypto map outside_map 141 set pfs
crypto map outside_map 141 set peer x.x.x.x
crypto map outside_map 141 set transform-set ESP-3DES-SHA

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *

Cisco 800 side

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key * address x.x.x.x

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel tox.x.x.x
 set peer x.x.x.x
 set security-association lifetime seconds 28800
 set transform-set ESP-3DES-SHA
 set pfs group2
 match address 102
access-list 102 remark IPSec Rule
access-list 102 permit ip


Question by:itdeptneci
    LVL 33

    Accepted Solution

    Config example is right here:

    At my current employ, I have 8 sites using dynamic IPs to hit the HQ's ASA.  It works well with the understanding that only the remote site can initiate the tunnel.  


    Author Comment


    Yes about 2 minutes after posting I came across the following and its now working!

    One question though regarding your 8 sites.

    Are each of your tunnels using the same pre-shared-key, and tunnel group?

    LVL 33

    Expert Comment

    Yes they are.  

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
    Let’s list some of the technologies that enable smooth teleworking. 
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now