01-27-2010 03:39 PM
Is there a good link anywhere that explains how to set this up where the main office will have a PIX firewall with a static outside ip, and the remote end will be an ASA with a dynamic ip, and we'll need an ipsec tunnel between them? I'm assuming traffic will have to be initiated from the firewall with the dynamic ip, in this case the ASA? But what about once the tunnel is up, will I be able to initate a connection into the network on the ASA LAN from a LAN behind the PIX (assuming its defined in the crypto map)? If I can't connect to the ASA's LAN, will I at least be able to initiate an SSH session to the ASA from the PIX lan? thanks
01-27-2010 05:03 PM
Hi,
The following link will give you a configuration example of a PIX with static addressing when the remote site is in dynamic mode:
Once the tunnel is UP LAN on both side will be able to communicate between each other
HTH
Laurent.
01-28-2010 06:43 AM
I found that link last night. what I don't like about it is it doesn't just address a site to site between a dynamic ip and a static ip, it throws the vpn client into the works. This part adds to confusion for me and I'm not quite certain which part of the config applies to the remote access vpn vs the site to site. In particular, which lines from the configs in the example (pasted below) apply to the site to site piece of it?
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
does the above reference BOTH the remote access and site to site piece of it? while I can appreciate Cisco's doc wanting to cover the additional scenario of remote access vpn's, I'd prefer to see just the config between two firewalls where only a site to site between a static and dynamic is being discussed. I wasn't 100% certain as to which parts of the cisco doc is referencing the config needed for the remote access example, I only need the site to site piece of it.
01-28-2010 01:48 PM
Regarding this example, here is the configuration related to the site-2-site VPN:
access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
!
crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map cisco 1 set transform-set myset crypto map dyn-map 20 ipsec-isakmp dynamic cisco ! crypto map dyn-map interface outside ! isakmp enable outside ! isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 ! isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000
All the commands starting with vpngroup are dedicated for VPN client.
HTH
Laurent.
01-28-2010 04:37 PM
HI Laurent,
The document link from MJ is correct!
The dynamic map is not just fro VPN clients but also for peers with Dynamic IP address so that they can negotiated the tunnel as "user".
Since the tunnel group on the Firewall( w/ static IP) cannot be assigned a Static IP. crypto isakmp key <> address 0.0.0.0 0.0.0.0 says whatever device comes just try to negotiate the tunnel with it.
The tunnel gets negoiated with a default group by giving a pre-shared key to it!!
Regards,
Pradhuman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide