dhcp and pix

Discussion in 'Cisco' started by Branigan, Jun 22, 2006.

  1. Branigan

    Branigan Guest

    i have a ipsec tunnel setup from various pix501's back to a vpn3000
    concentrator. my question is can i use dhcp on the 501's and have the
    vpn3000 or 501 update the conctrator with a new ip address if it should
    change? thx...
    Branigan, Jun 22, 2006
    #1
    1. Advertising

  2. In article <>,
    Branigan <> wrote:
    >i have a ipsec tunnel setup from various pix501's back to a vpn3000
    >concentrator. my question is can i use dhcp on the 501's


    Yes.

    >and have the
    >vpn3000 or 501 update the conctrator with a new ip address if it should
    >change?


    What do you mean by "update the concentrator with a new ip address" ?

    If the outside interface of your PIX uses dhcp then you need to
    use a crypto dynamic map on the -other- end. [I don't know what
    the vpn3000 calls this, but I'm sure it has the equivilent.]
    Provided that the isakmp key address/mask combination on the concentrator
    covers all addresses that -could- be assigned to the 501, and
    provided that you are using internal IP address ranges to designate
    the traffic [the normal configuration], you don't need to update anything
    on the concentrator.

    Note: in this configuration, the concentrator will not be able to bring
    up the tunnel if the tunnel is down: the end with the dynamic IP address
    must bring up the tunnel. If what you were hoping for was for the
    concentrator to know the "last known" IP address of the PIX so that the
    concentrator could try to bring up the tunnel, then No, there is no
    way to do that without manual intervention (or without some kind
    of program on a computer that reached into the concentrator and
    reconfigured it.)

    Hint for this configuration: use isakmp identity hostname
    instead of isakmp identity address
    Walter Roberson, Jun 22, 2006
    #2
    1. Advertising

  3. Branigan

    Branigan Guest

    thx Walter, that will get me started. I appreciate the help with this...

    thx again.
    "Walter Roberson" <> wrote in message
    news:%Yxmg.74636$iF6.15738@pd7tw2no...
    > In article <>,
    > Branigan <> wrote:
    >>i have a ipsec tunnel setup from various pix501's back to a vpn3000
    >>concentrator. my question is can i use dhcp on the 501's

    >
    > Yes.
    >
    >>and have the
    >>vpn3000 or 501 update the conctrator with a new ip address if it should
    >>change?

    >
    > What do you mean by "update the concentrator with a new ip address" ?
    >
    > If the outside interface of your PIX uses dhcp then you need to
    > use a crypto dynamic map on the -other- end. [I don't know what
    > the vpn3000 calls this, but I'm sure it has the equivilent.]
    > Provided that the isakmp key address/mask combination on the concentrator
    > covers all addresses that -could- be assigned to the 501, and
    > provided that you are using internal IP address ranges to designate
    > the traffic [the normal configuration], you don't need to update anything
    > on the concentrator.
    >
    > Note: in this configuration, the concentrator will not be able to bring
    > up the tunnel if the tunnel is down: the end with the dynamic IP address
    > must bring up the tunnel. If what you were hoping for was for the
    > concentrator to know the "last known" IP address of the PIX so that the
    > concentrator could try to bring up the tunnel, then No, there is no
    > way to do that without manual intervention (or without some kind
    > of program on a computer that reached into the concentrator and
    > reconfigured it.)
    >
    > Hint for this configuration: use isakmp identity hostname
    > instead of isakmp identity address
    Branigan, Jun 22, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SGVpbkQ=?=

    Wireless DHCP clients cannot obtain an IP address from the DHCP se

    =?Utf-8?B?SGVpbkQ=?=, Jan 8, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    2,827
    =?Utf-8?B?SGVpbkQ=?=
    Jan 8, 2006
  2. Ingo Hauf

    if Active Directory no DHCP? or: Where ist my DHCP

    Ingo Hauf, Oct 17, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    506
    Ralph Wade Phillips
    Oct 18, 2003
  3. Fayza
    Replies:
    3
    Views:
    12,700
    Dan Shea
    May 12, 2004
  4. Vimokh
    Replies:
    3
    Views:
    5,651
    Vimokh
    Sep 6, 2006
  5. sonicgravy
    Replies:
    0
    Views:
    1,427
    sonicgravy
    Nov 13, 2006
Loading...

Share This Page