Site to Site VPN

Answered Question
May 3rd, 2010
User Badges:

Hi

need config help for site to site VPN. HeadOffice with Pix 515 with static public IP and Two branchOffice with dynamic Public IP. Branch office are equiped with 877 router


Appreicate help

Correct Answer by Jennifer Halim about 7 years 1 month ago

Here is a sample configuration with 1 dynamic peer and vpn client on PIX:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml


Just assume that vpn client is the second dynamic peer because essentially vpn client is also a dynamic peer. If you check the NAT exemption statement, the second ACL line would be towards the ip pool subnet assigned to the vpn client, so just assume that the second ACL line is towards your second dynamic peer LAN subnet.


Unfortunately there is no sample configuration with 2 dynamic lan-to-lan peers, however, the concept is the same on the above sample config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
melwin.uk Tue, 05/04/2010 - 00:37
User Badges:

Thank you Ganesh.


I am looking for sample config with PIX/ASA at one end and router at other end.

Router would have dynamic ip address.

melwin.uk Tue, 05/04/2010 - 02:47
User Badges:

Hi,


To add another vpn site on Pix/Asa do I need to replicate the same steps or some tweak needed

Jennifer Halim Tue, 05/04/2010 - 02:55
User Badges:
  • Cisco Employee,

If you are trying to establish VPN tunnel from dynamic peer, you do not need to configure anything else on the PIX once you have configured 1 dynamic map. Once you got 1 dynamic site connected, the second dynamic site should connect too if phase 1 and phase 2 policies match between the PIX and the dynamic peer end.


1 thing that you need to configure is the NAT exemption ACL for the second dynamic peer LAN.

melwin.uk Tue, 05/04/2010 - 03:07
User Badges:

Hi halijenn


can you help to find the documented steps on cisco website for more than one dynamic site connected to pix/ASA

i checked but no luck so far.

Correct Answer
Jennifer Halim Tue, 05/04/2010 - 03:17
User Badges:
  • Cisco Employee,

Here is a sample configuration with 1 dynamic peer and vpn client on PIX:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml


Just assume that vpn client is the second dynamic peer because essentially vpn client is also a dynamic peer. If you check the NAT exemption statement, the second ACL line would be towards the ip pool subnet assigned to the vpn client, so just assume that the second ACL line is towards your second dynamic peer LAN subnet.


Unfortunately there is no sample configuration with 2 dynamic lan-to-lan peers, however, the concept is the same on the above sample config.

Actions

This Discussion