VPN to PIX with dynamic address

Discussion in 'Cisco' started by Darron Findlay, Dec 2, 2003.

  1. Oops. Ignore that previous blank post.

    I have a (cheap) client who has ADSL at his home office. He wants to put
    something like a PIX 501 behind the DSL modem and be able to get to it via
    VPN from abroad. Since he's getting dynamic IP addresses, he wants to use
    some service like dyndns.org so he can get the current address converted to
    a DNS-like name.

    Anyway, I've never even considered doing such a thing until now and have no
    idea if it will work. I don't have a PIX to play with right now (I need
    richer clients) so I'm having to figure this out the hard way.

    Can it be done (VPN into a PIX with a dynamic IP address that's running
    PPPOE)?
     
    Darron Findlay, Dec 2, 2003
    #1
    1. Advertisements

  2. :I have a (cheap) client who has ADSL at his home office. He wants to put
    :something like a PIX 501 behind the DSL modem and be able to get to it via
    :VPN from abroad. Since he's getting dynamic IP addresses, he wants to use
    :some service like dyndns.org so he can get the current address converted to
    :a DNS-like name.

    :Can it be done (VPN into a PIX with a dynamic IP address that's running
    :pPPOE)?

    In theory, yes.

    Normally, the IPSec setup for a PIX with a dynamic address is the
    same as for a regular PIX -- plain 'crypto map' and with
    a 'set peer' clause pointing to it's fixed-IP kin. And normally
    the PIX receiving the call has 'crypto dynamic-map'. You can't
    normally have a PIX-to-PIX VPN in which both ends are dynamic
    because *one* end needs a 'set peer' nominating a fixed IP.

    But the constraint that requires 'set peer' does not apply for
    the VPN client setup. So you can just go ahead and configure
    the PIX 501 as an Easy VPN Server (using PDM perhaps), or
    manually with a 'crypto dynamic map' and vpdn-group etc.. THe VPN
    client just has to find the outside address -somehow- and
    negotiation takes care of the rest.
     
    Walter Roberson, Dec 2, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.