Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Site-to-site VPN (Pix-to-Pix) with one side having a dynamic address

Has anyone ever set up a site-to-site VPN with one of the two sites having a dynamic address? Today we're only using static IP addresses. The remote sites each have a specific subnet (a portion of 10.x.x.x space) assigned to them.

Thanks for any suggestions.


New Member

Re: Site-to-site VPN (Pix-to-Pix) with one side having a dynamic

Hi Pat,

Yes, we do have a sample configuration for dynamic site to static.

At ther central site, be specific on your access lists to what traffic goes to what tunnel.

Hope this helps


New Member

Re: Site-to-site VPN (Pix-to-Pix) with one side having a dynamic

Thanks for the pointer. I've got a couple of questions about this example.

- In access list 100 (which defines what traffic goes through the tunnel), there's a reference to I don't see this subnet mentioned anywhere else in the example. Would this be an example of how you would set up a second remote site to come in over a tunnel?

- I always remember hearing that the access-lists that define tunnel traffic should be symmetric between the two ends of the tunnel. It looks like the central site PIX is using some summarization in access list 100 to define all tunnel traffic with 1 access list. Is this safe?

- It appears that all remote sites as well as VPN clients must use the same preshared key. Is this correct?



Cisco Employee

Re: Site-to-site VPN (Pix-to-Pix) with one side having a dynamic


The is the ip address range we are assigning to the clients (in the example), there is a pool called "client pool" defined.

The access-list 100 which is defined on the central pix is being used to bypass NAT. We don't actually define what traffic is going thru the tunnel on the central pix, it gets negotiated.

The remote site as well as the VPN clients use the same pre-shared key since both of them get their ip address dynamically



CreatePlease to create content