Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

dynamic and static vpn

i have a vpn setup as follows;

PIX A - HUB (STATIC IP)

PIX B - SPOKE B (DYNAMIC IP)

PIX C - SPOKE C (STATIC IP)

PRESENT WORKING VPN COMMUNICATIONS

PIX B TO PIX A - UNIDIRECTIONAL

PIX C TO PIX A - UNIDIRECTIONAL

GOAL

PIX B TO PIX A - UNIDIRECTIONAL

PIX C AND PIX A - BIDIRECTIONAL

Is this possible? Ive tried a lot and just couldnt succeed. If anyone could give a link for a sample configuration would be greatly appreciated.

Thanks a lot.

5 REPLIES
Gold

Re: dynamic and static vpn

it's feasible to setup both lan-lan vpn and ezvpn on a single pix.

192.168.1.0 <--> (192.168.1.1) pix (1.1.1.1) <--> internet/lan-lan vpn <--> (2.2.2.2) pix (192.168.2.1) <--> 192.168.2.0

192.168.1.0 <--> (192.168.1.1) pix (1.1.1.1) <--> internet/ezvpn <--> (dynamic) pix (192.168.100.1) <--> 192.168.100.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 121 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 122 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

ip address outside 1.1.1.1 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set 3des_set esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set 3des_set

crypto map myvpn 10 ipsec-isakmp dynamic dynmap

crypto map myvpn 20 ipsec-isakmp

crypto map myvpn 20 match address 121

crypto map myvpn 20 set peer 2.2.2.2

crypto map myvpn 20 set transform-set 3des_set

crypto map myvpn interface outside

isakmp enable outside

isakmp key xxxx address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn_hw_client dns-server 192.168.1.100

vpngroup vpn_hw_client default-domain yourcompany.com

vpngroup vpn_hw_client split-tunnel 122

vpngroup vpn_hw_client idle-time 1800

vpngroup vpn_hw_client password xxxx

also read this cisco doc:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

New Member

Re: dynamic and static vpn

do i have to have only 1 isakmp key?...in my config i have a key for the dynamic pix B and another 1 for the static pix C..see below;

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address 90.x.y.z netmask 255.255.255.255

Gold

Re: dynamic and static vpn

the command "isakmp key ******** address 0.0.0.0 netmask 0.0.0.0" is actually being replaced by "vpngroup vpn_hw_client password xxxx ".

New Member

Re: dynamic and static vpn

isnt it vpngroup is for users using vpn client software?...i dont have such client yet.

Gold

Re: dynamic and static vpn

please have a read of the cisco doc regarding the configuration of ezvpn, as i posted the url in my first post.

"vpngroup" is actually part of the ezvpn configuration as well.

117
Views
0
Helpful
5
Replies
CreatePlease to create content