Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

problem with static to dynamic connections in VPN


i try to configure a pix 515 to accept dynamic connection from remote clients and remote cisco ios routers (with dynamic ip).

i have no problem with the clients but i can't establish a tunnel with the routers.

here is my configuration file on the pix :

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password jLM8v3IOUGCnCDWR encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname Sabetpix


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list sabet1_splitTunnelAcl permit ip any

access-list inside_outbound_nat0_acl permit ip

access-list inside_outbound_nat0_acl permit ip

access-list inside_outbound_nat0_acl permit ip

access-list outside_cryptomap_dyn_20 permit ip any

access-list sabet2_splitTunnelAcl permit ip any

access-list outside_cryptomap_dyn_40 permit ip any

access-list outside_cryptomap_dyn_60 permit ip any

access-list outside_cryptomap_dyn_80 permit ip sabet0

access-list outside_cryptomap_dyn_90 permit ip

pager lines 24

logging on

logging console notifications

logging monitor notifications

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool remotevpn1

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside

failover ip address inside

pdm location inside

pdm location outside

pdm location sabet0 outside

pdm location outside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0 0

conduit permit icmp any any

conduit permit tcp any any

conduit permit udp any any

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http outside

http outside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA

crypto dynamic-map outside_dyn_map 90 match address outside_cryptomap_dyn_90

crypto dynamic-map outside_dyn_map 90 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 90 authentication pre-share

isakmp policy 90 encryption des

isakmp policy 90 hash md5

isakmp policy 90 group 2

isakmp policy 90 lifetime 6400

vpngroup sabet1 address-pool remotevpn1

vpngroup sabet1 wins-server

vpngroup sabet1 default-domain

vpngroup sabet1 split-tunnel sabet1_splitTunnelAcl

vpngroup sabet1 idle-time 1800

vpngroup sabet1 password ********

vpngroup sabet2 address-pool remotevpn1

vpngroup sabet2 wins-server

vpngroup sabet2 default-domain

vpngroup sabet2 split-tunnel sabet2_splitTunnelAcl

vpngroup sabet2 idle-time 1800

vpngroup sabet2 password ********

vpngroup sabet3 address-pool remotevpn1

vpngroup sabet3 wins-server

vpngroup sabet3 default-domain

vpngroup sabet3 idle-time 1800

vpngroup sabet3 password ********

telnet outside

telnet outside

telnet inside

telnet timeout 5

ssh outside

ssh timeout 5

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname fti/ebt6t2k

vpdn group pppoe_group ppp authentication chap

vpdn username fti/ebt6t2k password *********

vpdn username sabet password *********

dhcpd domain

username sabet password pnDLqQIbA4bEoSxg encrypted privilege 15

terminal width 80


: end


thanks !


Re: problem with static to dynamic connections in VPN


Can you enable:

debug cry isa

debug cry ip

These debugs are needed to troubleshoot the problem


New Member

Re: problem with static to dynamic connections in VPN

hi, i resolve the problem by enabling also ipsec keepalive on the pix.

keepalive was enable on the router but not on the pix.

so i add the command : "isakmp keepalive 60 60".

thanks for your interest about this question!

CreatePlease to create content