Multiple site-to-site VPN plus two dynamic VPN connections one to different VLAN

Discussion in 'Cisco' started by Joey, Apr 25, 2007.

  1. Joey

    Joey Guest

    I have a PIX running 6.3(5) with 5 site-to-site ipsec tunnels (static
    IPs) and one dynamic IP one (all using only pre-shared keys, no AAA).
    I'd like to allow an outside vendor access to a particular VLAN and
    allow them to enter from any IP address.

    The dynamic IP site has a PIX 501 at it, so I assume I can upgrade to
    some kind of user/pass in there for it to come in with. Is it
    possible to terminate the dynamic connections using the local AAA
    database? I'm not clear on the relationship between the pre-shared key
    and were a user/pass comes in (regardless if it goes to radius or
    not).

    Also, is it possible to restrict the vendor's credentials to a
    particular VLAN and always give them the same IP address on that VLAN?
    The current setup doesn't give anyone IP addresses including the
    dynamic site. It just routes. I have access to an ACS server but
    would like to keeps things as simple as possible.

    I also have a 1811 that's currently a VPN between another vendor and
    the back of their server here. Would it be easier and less disruptive
    to try and do it on this one? I'm not sure of the 1811's capabilities
    in this respect. But it might keep "outsiders" on their own router
    and off of the other firewall.

    Thanks!
    Joey
     
    Joey, Apr 25, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.