VPN PIX-to-Router Static-to-Dynamic

Answered Question
Mar 13th, 2007

Dear friends,

I'm trying to configure an IPSec tunnel between an IOS router and a PIX v7.0. I've already seen some URLs here pointing to an example of configuration. However, that example covers only the v6.x version of PIX, not being useful to solve my case.

My situation is that the router connects to a DSL provider and obtains a dynamic IP address and my PIX appliance has a static (Leased Line) connection to Internet. So, I have to establish this tunnel using pre-shared keys.

How do it using v7.x on the PIX?

Appreciate the help,


I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 7 months ago


Here is an example for PIX 7.0 version to build a dynamic L2L tunnel.


You would need to create a dynamic crypto map and use the defaultL2L tunnel-group for pre-shared key settings.

Rate this post, if it helps.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
mauricioharley Tue, 03/13/2007 - 12:55


Thanks a lot!!! This document definitely solved my issue.

I appreciate your help.

Best regards,


isk-admin Fri, 03/16/2007 - 01:29


I tried it with ASA 7.2.2 with some changes (because some commands was changed) and it works good.

Then I tried it with a special group like TESTGROUP instead of DefaultRAGroup but with same parameters and I get the following error message:

Mar 15 23:45:19 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Can't find a valid tunnel group, ab


Mar 15 23:45:19 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from peer table failed, no match!

Mar 15 23:45:19 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Mar 15 23:45:24 [IKEv1]: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)

What?s going wrong?



kaachary Fri, 03/16/2007 - 01:43


A dynamic tunnel will never land on a separately created group.

It would be either a DefaultRAGroup or a DEfaulL2LGroup, depending on how the remote side initiate the connection.

If it intitiates the connection in Aggressive mode, the connection will land on DefaultRAGroup and if it initiates the connection in Main mode, it will land on DefaulL2LGroup.

But never on a spearately created group.

*Please rate if helped.


ggilbert Sat, 03/17/2007 - 09:12


When the tunnel from the remote side is trying to get initiated, the ASA looks through the tunnel-group and finds the IP address that matches with the peer IP address. So, if you create a group called as TESTGROUP, it is not going to match on that.

With 7.x version of code, you will not be able to make a LAN to LAN (static) land on a named tunnel-group.

Since you do not know what the IP address of the remote guy is, it is best to let the tunnel land on the DefaultL2LGroup.

Rate this post, if it helps!




This Discussion