PIX Site to site with dynamic peers

Discussion in 'Cisco' started by vuu-g6c, Aug 17, 2004.

  1. vuu-g6c

    vuu-g6c Guest

    Hello,

    I am trying to setup something like this.

    On a central site using static ip addresses, I have a PIX 525
    (6.3(3)).

    Remote sites are PIX 501 basically connected to cable, aDSL. They got
    their IP using DHCP from the ISP and the IP change often.

    How do I say to the central site that the IP address of the peers are
    dynamic? PIX does not like 0.0.0.0 as the IP of the remote peers.

    Thanks you,

    /nicolas
     
    vuu-g6c, Aug 17, 2004
    #1
    1. Advertisements

  2. :I am trying to setup something like this.

    :On a central site using static ip addresses, I have a PIX 525
    :(6.3(3)).

    :Remote sites are PIX 501 basically connected to cable, aDSL. They got
    :their IP using DHCP from the ISP and the IP change often.

    :How do I say to the central site that the IP address of the peers are
    :dynamic? PIX does not like 0.0.0.0 as the IP of the remote peers.

    Use 'crypto dynamic-map' to define the transforms, and import
    that dynamic map into a regular crypto map with the 'dynamic' keyword.
    Do not try to specify the peer for this case.

    If you are using pre-shared keys, then you can differentiate between
    the remote systems whose potential IP ranges do not overlap, but
    if any of them overlap then either you have to give them the same
    preshared key, or you have to use certificates, or else you have to
    use the EzVPN feature (vpdngroup etc.)
     
    Walter Roberson, Aug 17, 2004
    #2
    1. Advertisements


  3. Here are configuration guides for easy vpn, and certificate
    authentication:


    EASY VPN

    Remote PIX

    vpnclient vpngroup groupname password group-password
    vpnclient username username password password
    vpnclient server 203.X.X.X
    vpnclient mode network-extension-mode
    vpnclient enable


    Central PIX

    access-list no-nat permit ip 192.168.252.0 255.255.255.240 172.16.1.0
    255.255.255.0
    nat (inside) 0 access-list no-nat
    ip local pool vpn-pool 172.16.1.1-172.16.1.254
    sysopt connection permit-ipsec

    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto dynamic-map cisco 1 set transform-set strong
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside

    isakmp enable outside
    isakmp keepalive 10 10
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    vpngroup mygroup address-pool vpn-pool
    vpngroup mygroup idle-time 1800
    vpngroup mygroup password testing123
    vpngroup password idle-time 1800
    vpngroup mygroup default-domain example.com


    Certificate Authentication

    1. Enrol the pix with the certificate authoritiy

    Steps required to enrol for a certificate with a Certificate Authority
    Step Description Command
    1 Configure NTP Service
    ntp server X.X.X.X source outside

    2 Enter Configuration Mode
    Configure terminal

    3 Configure The name of the system
    hosname pixexample

    4 Configure your domain name
    domain-name example.com

    5 clear all ca settings
    Clear cry ca

    6 remove keys from pki keyring
    ca zeroize rsa

    7 generate new public private keys
    ca generate rsa key 1024

    8 configure Certificate Authority ip and url
    ca identity caserver X.X.X.X/certificateauthority.dll

    9 configure attempt and retry period for CA
    ca configure caserver 1 20

    10 Authenticate to the CA Server
    ca auth caserver

    11 Enroll for new certificate
    ca enroll caserver password serial

    12 save certificate and pki information
    ca save all

    13 Save pix configuration
    write memory

    14 Request new CRL from the CA
    ca request crl caserver


    Remote Site Configuration
    access-list no-nat permit ip 192.168.252.0 255.255.255.240 172.17.1.0
    255.255.255.0
    nat (inside) 0 access-list no-nat
    access-list PROTECT permit ip 192.168.252.0 255.255.255.240 172.17.1.0
    255.255.255.0
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    sysopt connection permit-ipsec
    isakmp enable outside
    isakmp keepalive 10 10
    isakmp nat-traversal 20
    isakmp key testing123 address 203.X.X.X
    isakmp policy 1 authentication rsa-sig
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    crypto map dyn-map 1 ipsec-isakmp
    crypto map dyn-map 1 match address PROTECT
    crypto map dyn-map 1 set peer 203.X.X.X
    crypto map dyn-map 1 set transform-set strong
    crypto map dyn-map interface outside



    Central Pix configuration

    access-list no-nat permit ip 172.17.1.0 255.255.255.0 192.168.252.0
    255.255.255.240
    nat (inside) 0 access-list no-nat
    access-list PROTECT permit ip 172.17.1.0 255.255.255.0 192.168.252.0
    255.255.255.240
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    sysopt connection permit-ipsec
    isakmp enable outside
    isakmp keepalive 10 10
    isakmp nat-traversal 20
    isakmp key testing123 address 203.X.X.X
    isakmp policy 1 authentication rsa-sig
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    crypto map dyn-map 1 ipsec-isakmp
    crypto map dyn-map 1 match address PROTECT
    crypto map dyn-map 1 set peer 203.X.X.X
    crypto map dyn-map 1 set transform-set strong
    crypto map dyn-map interface outside




    This worked for me, and i am just cutting and pasting from my
    knowledge base.

    These are the only two way's i know of that you can make a pix build
    vpn's to dynamic peers without allowing a isakmp peer of 0.0.0.0.
     
    Anthony Mahoney, Aug 18, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.