09-14-2005 01:35 AM - edited 02-21-2020 12:23 AM
Hi
I have a problem!?!?
As a third party I was given a username and password to the ISP for a dynamic ip for a connection to internet. The device connected to the dynamic ip will be a pix 501.
Since Im new in vpn:ing my question is.
How do I configure the pix 501 to be connected to one 2611 and one 1710 and vice versa.
Both 2611 and 1710 have fixed ip:s concerning the dynamic ip in the pix 501
Will be grateful for some good advice
09-14-2005 05:38 PM
configure pix as an ezvpn client whereas 2611 and 1710 as an ezvpn server. one catch is that the vpn can only be established by user behind the pix.
if a full mesh vpn is required, you can still configure lan-lan vpn between routers as normal. router can act as both ezvpn server and normal ipsec peer at the same time.
09-19-2005 03:28 AM
Hi jackko
I need lan to lan vpn. full mech between pix, 2611 and 1710 with a dynamic address on the pix.
Cant open the link. Maybe I dont have enough cisco point to access the link.;-)
09-19-2005 05:36 PM
with a lan-lan vpn you'll need a static ip. it canbe dynamic but it has to be a static.
the pix will be assigned with an ip everytime it boots up, the lan-lan vpn will work as long as the assigned ip stays the same.
09-27-2005 10:49 PM
The ISP for the 501 runs pppoe with dynamic ip address username and pwd.
The ISP for the 1710 runs static ip address.
Our 2611 uses static ip.
And if its a better solution we can connect the 501 to a 3005.
Whats giving me the "chill" is the dynamic ip.
How the conf would look like in the 501 and the 1700 and 2611/3005.
Given up hope on lan to lan on the pix.
09-28-2005 06:33 AM
please read attached is the sample provided by cisco with the url posted before. it shows the bit with 501 and 1700/2611 with ezvpn.
below is a sample for 1700/2611 lan-lan vpn
aaa new-model
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer
set transform-set myset
match address 121
interface Ethernet0
ip nat inside
interface Dialer0
ip access-group 111 in
crypto map mymap
ip nat inside source route-map nonat interface Dialer0 overload
access-list 101 deny ip
access-list 101 permit ip
access-list 111 permit ip
access-list 121 permit ip
route-map nonat permit 10
match ip address 101
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: