501 to 515 via DHCP

Unanswered Question
Dec 31st, 2007
User Badges:

I have a PIX501 I want to install in a users home on a cable network. The PIX501 will come up with a DHCP IP address from it carrier. How do I configure teh PIX515 for this connections since I will not know what the IP address of the unit will be?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 12/31/2007 - 12:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


What type of connections do you mean ie.


1) remote access vpn

2) site-to-site VPN - in which case have a look at a pre-shared wildcard key which does not require you to know the remote IP address of the 501 to set up a tunnel.

3) Normal application access such as http/telnet etc.


Jon

HMidkiff Mon, 12/31/2007 - 12:22
User Badges:

I know how to configure the 501 on the cable network. I am a little unclear on the 515. Normally when you configure the "crypto map" and the "isakmp key" you have to use the IP address of the 501. In this case the 501 will be getting its IP via DHCP so I wont know what it will be. In this case I thought there was a special config for the 515, but I can not seem to find it.

Jon Marshall Mon, 12/31/2007 - 13:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ok i'm assuming you are talking about a site-to-site VPN ?


Attached is a doc that shows how to configure a 2811 router to accept a site-to-site VPN tunnel from a pix without knowing the public ip address of the pix. It should be failry straighforward to translate the 2811 commands to pix commands.


http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml


Key points


1) isakmp key "cisco123" address 0.0.0.0 0.0.0.0


which means you don't have to specify the remote IP address - ie. any address can try to connect - see caveats below.


2) You create a dynamic crypto map entry called "remote_pix" eg.


crypto dynamic-map remote_pix 1 match address remoteacl ** obviously you need to define this access-list **

crypto dynamic-map remote_pix 1 set pfs group2

crypto dynamic-map remote_pix 1 set transform-set ESP-3DES-SHA

crypto dynamic-map remote_pix 1 set security-association lifetime seconds 3600 kilobytes 4608000


Note that there is no mention of a crypto map set peer "ip address" here.


You then apply the dynamic crypto map to your existing crypto map on the pix 515. So lets say for arguments sake you already have a crypto map applied to the outside interface with site-to-site VPN's already defined and these site to site VPN's are using static IP addresses for the remote end.


Your crypto map is called vpn-set and you have 5 entries already for 5 different vpn tunnels.


To add your dynamic crypto map


crypto map vpn-set 6 ipsec-isakmp dynamic remote_pix


Caveats

-------


Because you have used 0.0.0.0 0.0.0.0 as the address in the isakmp command this means any remote address can try and connect using IPSEC. In effect you have relaxed the security. You need to make very sure that the key you choose is good enough as this is your only real form of security now so choosing something like "cisco123" would not be a very wise thing.


I have used crypto map vpn-set 6 to add in the dynamic map. In practice you should use an index number quite a bit higher than your last static entry. You need to make sure that this entry is always the last in your crypto map vpn-set entries, so make sure there is quite a lot of leeway to add more fixed IP address tunnels in between your last fixed tunnel configuration and the dynamic one.


Hope this all makes sense


Jon


Actions

This Discussion