Can a PIX 501 handle both static and dynamic VPN at the same time?

Unanswered Question
Feb 23rd, 2009

I have a PIX 501 that is currently configured with a static IPSec tunnel to another remote site. This tunnel is verified as working properly. What I'd like to do is add VPN server functionality for me to remotely access the network. The configuration examples I've seen all included creating a dynamic crypto map...but since a static one is already in place, this poses a problem as only a single crypto map statement is allowed on an interface (unless I'm mistaken?). Anyone know an easy way around this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
fedecotof Tue, 02/24/2009 - 10:13

You can only have one crypto map applied to an interface, but you can have multiple static IPSec tunnels because the crypto maps have sequence numbers. So, what you have to do is use the same crypto map that is already in place, but add another instance of that crypto map with a different sequence number.

For example you have:

crypto map yourmap 10....

You just add:

crypto map yourmap 20....

If you want to add another static IPSec tunnel, then you continue:

crypto map yourmap 30...

Hope this helps.

Jon Marshall Tue, 02/24/2009 - 11:00


Yes you can run both dynamic and static, remote access and site-to-site VPN's on the same pix.

As already stated you have one crypto map but you can have multiple entries. All the configs i have used and seen make the dynamic crypto a higher index number than statically defined entries.



This Discussion