Site to Site VPN w/DHCP

Discussion in 'Cisco' started by amattina@layer8group.com, Sep 18, 2006.

  1. Guest

    Freinds,
    I have an intresting task assigned to me that I don't think is possible
    but I figured I'd throw it out there at least.

    Two sites, one site in USA one in China. USA site has a static
    address, China site will have a DHCP from the provider. China office
    needs to telnet to USA server to do whatever they do. I need a site to
    site VPN from one site to the other so this is all secured as best as
    possible. Obviously if the provider in China assigns a fresh DHCP
    address, the VPN tunnel will be broken. Is there a way to make this
    work? Static to DHCP site to site VPN using Cisco PIX equipment. I
    don't think there is a way but if there is let me know. Cisco seems to
    say only static addresses.

    "The public IP addresses are specified in the IPsec peers
    configuration, and require that the public addresses of the VPN routers
    to be static addresses."

    Thanks,
    Adam
    , Sep 18, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I have an intresting task assigned to me that I don't think is possible
    >but I figured I'd throw it out there at least.


    >Two sites, one site in USA one in China. USA site has a static
    >address, China site will have a DHCP from the provider. China office
    >needs to telnet to USA server to do whatever they do. I need a site to
    >site VPN from one site to the other so this is all secured as best as
    >possible. Obviously if the provider in China assigns a fresh DHCP
    >address, the VPN tunnel will be broken. Is there a way to make this
    >work? Static to DHCP site to site VPN using Cisco PIX equipment.


    With the Cisco PIX (and ASA, I believe), the device cannot initiate
    a VPN connection to another device that has a dynamic address,
    but a device that has a dynamic address *can* initiate a VPN connection
    to a device that has a static address.

    You indicate that the site in China will telnet to the USA server, which
    would seem to imply that having the China site initiate the connection
    would be fine under the circumstances.

    What you need to do to make the situation work, is to configure the
    site with the variable address normally (normal crypto map, normal
    'set peer'), but configure the site with the static address differently.
    The site with the static address should be configured with a
    crypto dynamic map.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1085720
    Walter Roberson, Sep 18, 2006
    #2
    1. Advertising

  3. Guest

    Walter,
    Thanks. I was on the phone with techdata and cisco as I was posting and
    then came accross the answer:

    http://www.cisco.com/en/US/products...s_configuration_example09186a0080094680.shtml

    I'll see hwo it goes.

    Have a great day!
    - Adam
    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    > >I have an intresting task assigned to me that I don't think is possible
    > >but I figured I'd throw it out there at least.

    >
    > >Two sites, one site in USA one in China. USA site has a static
    > >address, China site will have a DHCP from the provider. China office
    > >needs to telnet to USA server to do whatever they do. I need a site to
    > >site VPN from one site to the other so this is all secured as best as
    > >possible. Obviously if the provider in China assigns a fresh DHCP
    > >address, the VPN tunnel will be broken. Is there a way to make this
    > >work? Static to DHCP site to site VPN using Cisco PIX equipment.

    >
    > With the Cisco PIX (and ASA, I believe), the device cannot initiate
    > a VPN connection to another device that has a dynamic address,
    > but a device that has a dynamic address *can* initiate a VPN connection
    > to a device that has a static address.
    >
    > You indicate that the site in China will telnet to the USA server, which
    > would seem to imply that having the China site initiate the connection
    > would be fine under the circumstances.
    >
    > What you need to do to make the situation work, is to configure the
    > site with the variable address normally (normal crypto map, normal
    > 'set peer'), but configure the site with the static address differently.
    > The site with the static address should be configured with a
    > crypto dynamic map.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1085720
    , Sep 18, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    3
    Views:
    3,898
    tical
    May 27, 2004
  2. Rick Stromberg
    Replies:
    7
    Views:
    9,859
    luisjimher
    Jun 3, 2011
  3. Nathan Simpson

    Incoming VPN and site to site VPN problems

    Nathan Simpson, Aug 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    477
  4. Replies:
    10
    Views:
    21,390
    brokentwig
    Jun 14, 2007
  5. pasatealinux
    Replies:
    1
    Views:
    2,011
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page