Re: Site to Site VPN Pix

milfrankrodriguez · ‎06-17-2009

Is it possible to setup a site to site vpn with a pix501 when one site has has a dynamically assigned external IP?

The pix is running verion 6.3, is there any other way around this that doesnt involve changing the config everytime the IP address changes

Any help would be greatly appreciated

andrew.prince · ‎06-17-2009

Yes it is possible, if you use DDNS and the remote site connects to the VPN via domain name.

HTH>

milfrankrodriguez · ‎06-17-2009

Thanks for your reply Andrew,

I had tried to do this using ddns but when I set the preshared key for the remote peer the pix will only allow me to use an IP address

Also when I set the remote peer for the crypto map it requires an IP address

Can you tell me where i'm going wrong?

andrew.prince · ‎06-17-2009

OK firstly we need to establish the network topology:-

1) Which end is the PIX on, DHCP or static IP

2) What other equipment are you using at the remote end for this?

Jon is correct - in the crypto maps and isakmp config can have a 0.0.0.0 address.

milfrankrodriguez · ‎06-17-2009

I didnt realise you could use a 0.0.0.0 address, I will do that

Thanks for your help

Jon Marshall · ‎06-17-2009

Daniel

You can use a dynamic crypto map where you do not need to specify the remote peer IP address. See this link for an example -

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml

Be aware that when you use a dynamic crypto map ie. you don't check the remote peer IP, then any peer can try to initiate an IPSEC connection to your Pix. So your key is the only real security you have so make sure it is a good one.

Jon