PIX-to-ASA Dynamic-to-Static VPN – Part 1

I had to set up a Pix to Pix VPN tunnel where one of the Pixes had a dynamic IP Adress. Here is the sample configs:

Static Side (Pix):

access-list inside_outbound_nat0_acl permit ip
access-list outside_cryptomap_filial permit ip

ip address outside X.X.X.X Y.Y.Y.Y

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key 1234567890 address netmask
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

Dynamic Address (ASA):

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute

access-list CRYPTO-TO-XXX extended permit ip
access-list INSIDE_OUTBOUND_NAT0_ACL extended permit ip

global (outside) 1 interface
nat (inside) 0 access-list INSIDE_OUTBOUND_NAT0_ACL

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CRYPTO 10 match address CRYPTO-TO-XXX
crypto map CRYPTO 10 set pfs group1
crypto map CRYPTO 10 set peer X.X.X.X
crypto map CRYPTO 10 set transform-set ESP-3DES-SHA
crypto map CRYPTO interface outside
crypto isakmp enable outside
crypto isakmp policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key 1234567890

Source Links:

Configuring PIX to PIX Dynamic-to-Static IPSec with NAT and Cisco VPN Client
PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example

Leave a Reply