itdeptneci
asked on
Site to Site VPN with PIX/Cisco 800 series router - One side has dynamic IP
Hi,
I'm looking for a config example of how to setup a Site to Site VPN using IPSec and Pre-Shared key, where one side uses a dynamic ip address. The PIX uses a static address, however the Cisco 800 series is used with a dynamic ip address.
The default VPN site to site tunnel on the PIX requires a Peer IP address, which I cannot supply due to having dynamic address at the other side.
I read one other post stating that the PIX requires a dynamic-map instead of a peer-ip, but I cannot find any actual working examples.
Your help would be much appreciated!
Below is an example config that is used for an existing tunnel working over fixed IP. If I can modify one of these using IOS to work using dynamic-map, this would be ideal.
PIX side
access-list outside_cryptomap_141 extended permit ip 192.168.1.0 255.255.255.0 1
92.168.104.0 255.255.255.0
crypto map outside_map 141 match address outside_cryptomap_141
crypto map outside_map 141 set pfs
crypto map outside_map 141 set peer x.x.x.x
crypto map outside_map 141 set transform-set ESP-3DES-SHA
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
Cisco 800 side
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key * address x.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.x
set peer x.x.x.x
set security-association lifetime seconds 28800
set transform-set ESP-3DES-SHA
set pfs group2
match address 102
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.104.0 0.0.0.255 192.168.1.0 0.0.0.255
Thanks,
Kevin
I'm looking for a config example of how to setup a Site to Site VPN using IPSec and Pre-Shared key, where one side uses a dynamic ip address. The PIX uses a static address, however the Cisco 800 series is used with a dynamic ip address.
The default VPN site to site tunnel on the PIX requires a Peer IP address, which I cannot supply due to having dynamic address at the other side.
I read one other post stating that the PIX requires a dynamic-map instead of a peer-ip, but I cannot find any actual working examples.
Your help would be much appreciated!
Below is an example config that is used for an existing tunnel working over fixed IP. If I can modify one of these using IOS to work using dynamic-map, this would be ideal.
PIX side
access-list outside_cryptomap_141 extended permit ip 192.168.1.0 255.255.255.0 1
92.168.104.0 255.255.255.0
crypto map outside_map 141 match address outside_cryptomap_141
crypto map outside_map 141 set pfs
crypto map outside_map 141 set peer x.x.x.x
crypto map outside_map 141 set transform-set ESP-3DES-SHA
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
Cisco 800 side
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key * address x.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.x
set peer x.x.x.x
set security-association lifetime seconds 28800
set transform-set ESP-3DES-SHA
set pfs group2
match address 102
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.104.0 0.0.0.255 192.168.1.0 0.0.0.255
Thanks,
Kevin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes they are.
ASKER
Yes about 2 minutes after posting I came across the following and its now working!
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml
One question though regarding your 8 sites.
Are each of your tunnels using the same pre-shared-key, and tunnel group?
Thanks!