i have a ipsec tunnel setup from various pix501's back to a vpn3000 concentrator. my question is can i use dhcp on the 501's and have the vpn3000 or 501 update the conctrator with a new ip address if it should change? thx...
Yes.
What do you mean by "update the concentrator with a new ip address" ?
If the outside interface of your PIX uses dhcp then you need to use a crypto dynamic map on the -other- end. [I don't know what the vpn3000 calls this, but I'm sure it has the equivilent.] Provided that the isakmp key address/mask combination on the concentrator covers all addresses that -could- be assigned to the 501, and provided that you are using internal IP address ranges to designate the traffic [the normal configuration], you don't need to update anything on the concentrator.
Note: in this configuration, the concentrator will not be able to bring up the tunnel if the tunnel is down: the end with the dynamic IP address must bring up the tunnel. If what you were hoping for was for the concentrator to know the "last known" IP address of the PIX so that the concentrator could try to bring up the tunnel, then No, there is no way to do that without manual intervention (or without some kind of program on a computer that reached into the concentrator and reconfigured it.)
Hint for this configuration: use isakmp identity hostname instead of isakmp identity address
thx Walter, that will get me started. I appreciate the help with this...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.