Re: Site to Site Pix 501 Dynamic IP

pgagnon · ‎03-03-2002

I have a shiny new Pix 501/10 user/3des. I have a remote site with a dsl connection that has a dynamic ip address from the ISP. I want to do a site to site ipsec 3des ike preshared keys tunnel to connect to my Concentrator 3015. I have the Cisco sample config for this scenario with static ip's at each end. When setting up my Lan-to-Lan in the concentrator, what do I specify for my IKE peer?

Can this tunnel even work with one end being dynamic? This is the one piece of info I've been scouring for and not finding.

fmadar · ‎03-04-2002

Yes, you can. Where you have the dsl connection I supouse you should use PPPoE and in the other end you must tell the concentrator that you will be receiving a remote access connection. This sets up the concentrator to recreive any peer IP address. You won't be able to start the tunnel from the static connection, always from the dinamyc.

Regards

eheston · ‎03-07-2002

I have implemented this configuration successfully for a few clients. This document should help:

Configuring PIX to PIX Dynamic-to-Static IPSec with NAT and Cisco VPN Client

http://www.cisco.com/warp/customer/110/dynamicpix.html

cjacinto · ‎03-09-2002

This could be done, see:

http://www.cisco.com/warp/customer/471/vpn3k_iosdhcp.html

On the above it is an ios, but you could modify it for the PIX, and take note of the concentrator config.

paul.gagnon · ‎03-14-2002

I opened a tac and got a good sample config from one of the techs. This worked great and I did use the information from both of those documents as well to get this working. The config for the pix 501 is much simpler than that of the bigger pix's used in those sample configs.

The incorrect assumption I was making is that this would be a Lan-to-Lan connection. However, this situation is treated like a vpn client only there is no address assignment that happens.

Now I'm in the process of getting my routing issues straightened out.