Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

501 to 515 via DHCP

I have a PIX501 I want to install in a users home on a cable network. The PIX501 will come up with a DHCP IP address from it carrier. How do I configure teh PIX515 for this connections since I will not know what the IP address of the unit will be?

Hall of Fame Super Blue

Re: 501 to 515 via DHCP


What type of connections do you mean ie.

1) remote access vpn

2) site-to-site VPN - in which case have a look at a pre-shared wildcard key which does not require you to know the remote IP address of the 501 to set up a tunnel.

3) Normal application access such as http/telnet etc.


New Member

Re: 501 to 515 via DHCP

I know how to configure the 501 on the cable network. I am a little unclear on the 515. Normally when you configure the "crypto map" and the "isakmp key" you have to use the IP address of the 501. In this case the 501 will be getting its IP via DHCP so I wont know what it will be. In this case I thought there was a special config for the 515, but I can not seem to find it.

Hall of Fame Super Blue

Re: 501 to 515 via DHCP

Ok i'm assuming you are talking about a site-to-site VPN ?

Attached is a doc that shows how to configure a 2811 router to accept a site-to-site VPN tunnel from a pix without knowing the public ip address of the pix. It should be failry straighforward to translate the 2811 commands to pix commands.

Key points

1) isakmp key "cisco123" address

which means you don't have to specify the remote IP address - ie. any address can try to connect - see caveats below.

2) You create a dynamic crypto map entry called "remote_pix" eg.

crypto dynamic-map remote_pix 1 match address remoteacl ** obviously you need to define this access-list **

crypto dynamic-map remote_pix 1 set pfs group2

crypto dynamic-map remote_pix 1 set transform-set ESP-3DES-SHA

crypto dynamic-map remote_pix 1 set security-association lifetime seconds 3600 kilobytes 4608000

Note that there is no mention of a crypto map set peer "ip address" here.

You then apply the dynamic crypto map to your existing crypto map on the pix 515. So lets say for arguments sake you already have a crypto map applied to the outside interface with site-to-site VPN's already defined and these site to site VPN's are using static IP addresses for the remote end.

Your crypto map is called vpn-set and you have 5 entries already for 5 different vpn tunnels.

To add your dynamic crypto map

crypto map vpn-set 6 ipsec-isakmp dynamic remote_pix



Because you have used as the address in the isakmp command this means any remote address can try and connect using IPSEC. In effect you have relaxed the security. You need to make very sure that the key you choose is good enough as this is your only real form of security now so choosing something like "cisco123" would not be a very wise thing.

I have used crypto map vpn-set 6 to add in the dynamic map. In practice you should use an index number quite a bit higher than your last static entry. You need to make sure that this entry is always the last in your crypto map vpn-set entries, so make sure there is quite a lot of leeway to add more fixed IP address tunnels in between your last fixed tunnel configuration and the dynamic one.

Hope this all makes sense