• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 659
  • Last Modified:

Site to Site VPN with PIX/Cisco 800 series router - One side has dynamic IP

Hi,

I'm looking for a config example of how to setup a Site to Site VPN using IPSec and Pre-Shared key, where one side uses a dynamic ip address.  The PIX uses a static address, however the Cisco 800 series is used with a dynamic ip address.

The default VPN site to site tunnel on the PIX requires a Peer IP address, which I cannot supply due to having dynamic address at the other side.

I read one other post stating that the PIX requires a dynamic-map instead of a peer-ip, but I cannot find any actual working examples.

Your help would be much appreciated!

Below is an example config that is used for an existing tunnel working over fixed IP.  If I can modify one of these using IOS to work using dynamic-map, this would be ideal.

PIX side

access-list outside_cryptomap_141 extended permit ip 192.168.1.0 255.255.255.0 1
92.168.104.0 255.255.255.0

crypto map outside_map 141 match address outside_cryptomap_141
crypto map outside_map 141 set pfs
crypto map outside_map 141 set peer x.x.x.x
crypto map outside_map 141 set transform-set ESP-3DES-SHA

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *

Cisco 800 side

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key * address x.x.x.x

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel tox.x.x.x
 set peer x.x.x.x
 set security-association lifetime seconds 28800
 set transform-set ESP-3DES-SHA
 set pfs group2
 match address 102
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.104.0 0.0.0.255 192.168.1.0 0.0.0.255

Thanks,

Kevin
0
itdeptneci
Asked:
itdeptneci
  • 2
1 Solution
 
MikeKaneCommented:
Config example is right here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

At my current employ, I have 8 sites using dynamic IPs to hit the HQ's ASA.  It works well with the understanding that only the remote site can initiate the tunnel.  

0
 
itdeptneciAuthor Commented:
Hi,

Yes about 2 minutes after posting I came across the following and its now working!

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

One question though regarding your 8 sites.

Are each of your tunnels using the same pre-shared-key, and tunnel group?

Thanks!
0
 
MikeKaneCommented:
Yes they are.  
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now