Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX- VPN on an IP range? Is it possible?

Hi there- I wonder if someone out there

could help me sanity check the following:-

The scenario we have is:

we have a customer who wants to set up a VPN, at fairly low cost. They operate a fleet of ships which periodically come into dry dock.

While in dock, they wish to be able to access their corporate LAN via VPN- no VPN exists at present. We have identified GPRS as being about the only transmission medium available that meets their needs in terms of cost, bandwidth and mobility.

What they are after is a form of VPN: I suggested a Cisco PIX- I'm thinking about a 501- as vpn terminator at their headquarters.

The complication is: we won't know for definite what their inbound ip address will be, as their GPRS dial-up ISP operates dhcp, which will make vpn config creation difficult. However, I do know what range of IP addresses the ISP (it is o2 in the UK, the mobile

phone company) hand out from their address pool.

So: my question is- can a config be defined on the PIX 501 that will allow a vpn tunnel to be created from a known range of ip addresses, rather than a single ip?

BTW: I've ruled out Cisco's 'Easy VPN' service, as we will not have Cisco kit at both ends (VPN over o2 GPRS dial-up connection would seem to need a custom vpn client devised by o2-although they claim it is IPSec compatible). I don't think ddns would work either.

If anyone can help, I'd be much obliged.



New Member

Re: PIX- VPN on an IP range? Is it possible?

HI Or8it!

As much as i can understand, you want a PIX to terminate sw VPN Client requests. Beeing so, you dont't need to configure those VPN Client source IPs (ISP public Internet IPs). You can configure the PIX to receive VPN requests from anywhere in the Internet as long as they the correct usernames/passwords to establish the VPN IPSec tunnels.


New Member

Re: PIX- VPN on an IP range? Is it possible?

Thanks for that, ovieira.

That's really wowed me- I've only just really started to look at vpn's, but even those I've spoken to who seem to know more than me all said that the IP addresses of all parties had to be known. That's very interesting- thanks for taking the time to reply.


New Member

Re: PIX- VPN on an IP range? Is it possible?

Only one side is required to be static.

The only caveat is that the static side cannot initiate the tunnel with the dynamic side. The dynamic side must initiate the tunnel. If no interesting traffic is generated by the dynamic side, the static side will not be able to reach the dynamic side.

Usually this is no big deal as the dynamic side is usually trying to reach resources on the static side and not vice-versa.

The following sample config is your ticket and will even allow for PC's running the Cisco VPN client software to connect as well as other PIX firewalls (at the same time, even).