Site-to-site VPN (Pix-to-Pix) with one side having a dynamic address

patrick.peters · ‎06-24-2003

Has anyone ever set up a site-to-site VPN with one of the two sites having a dynamic address? Today we're only using static IP addresses. The remote sites each have a specific subnet (a portion of 10.x.x.x space) assigned to them.

Thanks for any suggestions.

Pat

artherrera · ‎06-24-2003

Hi Pat,

Yes, we do have a sample configuration for dynamic site to static.

http://www.cisco.com/warp/public/110/dynamicpix.html

At ther central site, be specific on your access lists to what traffic goes to what tunnel.

Hope this helps

Arthur

patrick.peters · ‎06-25-2003

Thanks for the pointer. I've got a couple of questions about this example.

- In access list 100 (which defines what traffic goes through the tunnel), there's a reference to 10.3.3.0/255.255.255.0. I don't see this subnet mentioned anywhere else in the example. Would this be an example of how you would set up a second remote site to come in over a tunnel?

- I always remember hearing that the access-lists that define tunnel traffic should be symmetric between the two ends of the tunnel. It looks like the central site PIX is using some summarization in access list 100 to define all tunnel traffic with 1 access list. Is this safe?

- It appears that all remote sites as well as VPN clients must use the same preshared key. Is this correct?

Thanks

Pat

rjwalani · ‎06-25-2003

Hi,

The 10.3.3.0/24 is the ip address range we are assigning to the clients (in the example), there is a pool called "client pool" defined.

The access-list 100 which is defined on the central pix is being used to bypass NAT. We don't actually define what traffic is going thru the tunnel on the central pix, it gets negotiated.

The remote site as well as the VPN clients use the same pre-shared key since both of them get their ip address dynamically

Thanks

Ranjana