• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 659
  • Last Modified:

Site to Site VPN with PIX/Cisco 800 series router - One side has dynamic IP


I'm looking for a config example of how to setup a Site to Site VPN using IPSec and Pre-Shared key, where one side uses a dynamic ip address.  The PIX uses a static address, however the Cisco 800 series is used with a dynamic ip address.

The default VPN site to site tunnel on the PIX requires a Peer IP address, which I cannot supply due to having dynamic address at the other side.

I read one other post stating that the PIX requires a dynamic-map instead of a peer-ip, but I cannot find any actual working examples.

Your help would be much appreciated!

Below is an example config that is used for an existing tunnel working over fixed IP.  If I can modify one of these using IOS to work using dynamic-map, this would be ideal.

PIX side

access-list outside_cryptomap_141 extended permit ip 1

crypto map outside_map 141 match address outside_cryptomap_141
crypto map outside_map 141 set pfs
crypto map outside_map 141 set peer x.x.x.x
crypto map outside_map 141 set transform-set ESP-3DES-SHA

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *

Cisco 800 side

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key * address x.x.x.x

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel tox.x.x.x
 set peer x.x.x.x
 set security-association lifetime seconds 28800
 set transform-set ESP-3DES-SHA
 set pfs group2
 match address 102
access-list 102 remark IPSec Rule
access-list 102 permit ip


  • 2
1 Solution
Config example is right here:


At my current employ, I have 8 sites using dynamic IPs to hit the HQ's ASA.  It works well with the understanding that only the remote site can initiate the tunnel.  

itdeptneciAuthor Commented:

Yes about 2 minutes after posting I came across the following and its now working!


One question though regarding your 8 sites.

Are each of your tunnels using the same pre-shared-key, and tunnel group?

Yes they are.  

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now