site to site ipsec without public ip at one end

Discussion in 'Cisco' started by dt1649651@yahoo.com, Apr 10, 2008.

  1. Guest

    I have a remote LAN which locates inside another company. I would like
    to set up so that the headquarter LAN can access resources of that
    remote LAN. The remote LAN does not have any public IP address but it
    can go thru the other company's network to go to the Internet.

    Does site-to-site ipsec work in this case ? Or any other solution can
    help the main LAN to access to remote LAN ?

    Thanks,

    DT
     
    , Apr 10, 2008
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I have a remote LAN which locates inside another company. I would like
    >to set up so that the headquarter LAN can access resources of that
    >remote LAN. The remote LAN does not have any public IP address but it
    >can go thru the other company's network to go to the Internet.


    >Does site-to-site ipsec work in this case ? Or any other solution can
    >help the main LAN to access to remote LAN ?


    Yes, site-to-site ipsec *can* work in such cases, but it depends
    upon the equipment and software version as to whether it can
    be configured. Also, if the connection is lost between HQ and the
    remote LAN for any reason, then it would have to be the remote LAN
    that requested the connection to HQ, unless the other company
    is willing to reserve a static public IP that gets NAT'd to their
    internal private IP.

    There is one setup where the HQ can connect more readily to
    the remote LAN, and that is if DMVPN is configured. DMVPN is
    available on some of the routers (including the 87x I believe)
    but it is not available in PIX 6, and I don't know if it is available
    in PIX 7 or PIX 8 or the ASAs.
     
    Walter Roberson, Apr 10, 2008
    #2
    1. Advertising

  3. Guest

    On Apr 10, 2:16 pm, (Walter Roberson) wrote:

    > Yes,site-to-siteipsec *can* work in such cases, but it depends
    > upon the equipment and software version as to whether it can
    > be configured. Also, if the connection is lost between HQ and the
    > remote LAN for any reason, then it would have to be the remote LAN
    > that requested the connection to HQ, unless the other company
    > is willing to reserve a static public IP that gets NAT'd to theirs
    > internal private IP.


    Thanks, Walter. I tried this and it works. And as you said, yes, the
    remote LAN has to initiate the connection.
    Is it possible to have the remote router to initiatie the connection
    by itself ? Or do I have some external device ( PC, server ) on the
    remote site to do that ?



    DT
     
    , Apr 20, 2008
    #3
  4. Guest

    On 20 Apr, 06:25, "" <> wrote:
    > On Apr 10, 2:16 pm, (Walter Roberson) wrote:
    >
    > > Yes,site-to-siteipsec *can* work in such cases, but it depends
    > > upon the equipment and software version as to whether it can
    > > be configured. Also, if the connection is lost between HQ and the
    > > remote LAN for any reason, then it would have to be the remote LAN
    > > that requested the connection to HQ, unless the other company
    > > is willing to reserve a static public IP that gets NAT'd to theirs
    > > internal private IP.

    >
    > Thanks, Walter. I tried this and it works. And as you said, yes, the
    > remote LAN has to initiate the connection.
    > Is it possible to have the remote router to initiatie the connection
    > by itself ? Or do I have some external device ( PC, server ) on the
    > remote site to do that ?
    >
    > DT


    Ther may be an "official" way to do this, don't know, but
    one workaround that I have used in the past on routers is

    ntp server far-side-of-vpn
    ntp source inside-interface-address

    This generates periodic traffic from the inside of the
    router to the target which may stimulate the VPN.

    Make sure you understand if you will get sufficiently
    frequent traffic for your needs.

    Also consider SAA (now renamed again I think).
    This is a much better plan.

    Another alternative is to try to make sure the VPN never
    goes down say by pinging from the centre but that
    will never be completely reliable since if the pings stop for
    any reason then the VPN will not be recoverable from the
    outside except by some intervention using the external address
    of the router.
     
    , Apr 20, 2008
    #4
  5. Guest

    On Apr 20, 7:11 am, wrote:
    >
    > Ther may be an "official" way to do this, don't know, but
    > one workaround that I have used in the past on routers is
    >
    > ntp server far-side-of-vpn
    > ntp source inside-interface-address
    >
    > This generates periodic traffic from the inside of the
    > router to the target which may stimulate the VPN.
    >
    > Make sure you understand if you will get sufficiently
    > frequent traffic for your needs.


    Thanks. I will use this trick in this particular case: the remote
    system has no "users". They have only several printers.


    >
    > Also consider SAA (now renamed again I think).
    > This is a much better plan.


    Never use SAA. Will ( learn and ) try it.

    Thanks.
    DT
     
    , Apr 20, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page