I have a PIX501 I want to install in a users home on a cable network. The PIX501 will come up with a DHCP IP address from it carrier. How do I configure teh PIX515 for this connections since I will not know what the IP address of the unit will be?
I know how to configure the 501 on the cable network. I am a little unclear on the 515. Normally when you configure the "crypto map" and the "isakmp key" you have to use the IP address of the 501. In this case the 501 will be getting its IP via DHCP so I wont know what it will be. In this case I thought there was a special config for the 515, but I can not seem to find it.
Ok i'm assuming you are talking about a site-to-site VPN ?
Attached is a doc that shows how to configure a 2811 router to accept a site-to-site VPN tunnel from a pix without knowing the public ip address of the pix. It should be failry straighforward to translate the 2811 commands to pix commands.
Note that there is no mention of a crypto map set peer "ip address" here.
You then apply the dynamic crypto map to your existing crypto map on the pix 515. So lets say for arguments sake you already have a crypto map applied to the outside interface with site-to-site VPN's already defined and these site to site VPN's are using static IP addresses for the remote end.
Your crypto map is called vpn-set and you have 5 entries already for 5 different vpn tunnels.
Because you have used 0.0.0.0 0.0.0.0 as the address in the isakmp command this means any remote address can try and connect using IPSEC. In effect you have relaxed the security. You need to make very sure that the key you choose is good enough as this is your only real form of security now so choosing something like "cisco123" would not be a very wise thing.
I have used crypto map vpn-set 6 to add in the dynamic map. In practice you should use an index number quite a bit higher than your last static entry. You need to make sure that this entry is always the last in your crypto map vpn-set entries, so make sure there is quite a lot of leeway to add more fixed IP address tunnels in between your last fixed tunnel configuration and the dynamic one.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...