Site to Site VPN

Answered Question
May 3rd, 2010

Hi

need config help for site to site VPN. HeadOffice with Pix 515 with static public IP and Two branchOffice with dynamic Public IP. Branch office are equiped with 877 router

Appreicate help

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

Here is a sample configuration with 1 dynamic peer and vpn client on PIX:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Just assume that vpn client is the second dynamic peer because essentially vpn client is also a dynamic peer. If you check the NAT exemption statement, the second ACL line would be towards the ip pool subnet assigned to the vpn client, so just assume that the second ACL line is towards your second dynamic peer LAN subnet.

Unfortunately there is no sample configuration with 2 dynamic lan-to-lan peers, however, the concept is the same on the above sample config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
melwin.uk Tue, 05/04/2010 - 00:37

Thank you Ganesh.

I am looking for sample config with PIX/ASA at one end and router at other end.

Router would have dynamic ip address.

melwin.uk Tue, 05/04/2010 - 02:47

Hi,

To add another vpn site on Pix/Asa do I need to replicate the same steps or some tweak needed

Jennifer Halim Tue, 05/04/2010 - 02:55

If you are trying to establish VPN tunnel from dynamic peer, you do not need to configure anything else on the PIX once you have configured 1 dynamic map. Once you got 1 dynamic site connected, the second dynamic site should connect too if phase 1 and phase 2 policies match between the PIX and the dynamic peer end.

1 thing that you need to configure is the NAT exemption ACL for the second dynamic peer LAN.

melwin.uk Tue, 05/04/2010 - 03:07

Hi halijenn

can you help to find the documented steps on cisco website for more than one dynamic site connected to pix/ASA

i checked but no luck so far.

Correct Answer
Jennifer Halim Tue, 05/04/2010 - 03:17

Here is a sample configuration with 1 dynamic peer and vpn client on PIX:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Just assume that vpn client is the second dynamic peer because essentially vpn client is also a dynamic peer. If you check the NAT exemption statement, the second ACL line would be towards the ip pool subnet assigned to the vpn client, so just assume that the second ACL line is towards your second dynamic peer LAN subnet.

Unfortunately there is no sample configuration with 2 dynamic lan-to-lan peers, however, the concept is the same on the above sample config.

Actions

This Discussion