10-09-2003 07:45 AM - edited 02-21-2020 12:49 PM
Hi there- I wonder if someone out there
could help me sanity check the following:-
The scenario we have is:
we have a customer who wants to set up a VPN, at fairly low cost. They operate a fleet of ships which periodically come into dry dock.
While in dock, they wish to be able to access their corporate LAN via VPN- no VPN exists at present. We have identified GPRS as being about the only transmission medium available that meets their needs in terms of cost, bandwidth and mobility.
What they are after is a form of VPN: I suggested a Cisco PIX- I'm thinking about a 501- as vpn terminator at their headquarters.
The complication is: we won't know for definite what their inbound ip address will be, as their GPRS dial-up ISP operates dhcp, which will make vpn config creation difficult. However, I do know what range of IP addresses the ISP (it is o2 in the UK, the mobile
phone company) hand out from their address pool.
So: my question is- can a config be defined on the PIX 501 that will allow a vpn tunnel to be created from a known range of ip addresses, rather than a single ip?
BTW: I've ruled out Cisco's 'Easy VPN' service, as we will not have Cisco kit at both ends (VPN over o2 GPRS dial-up connection would seem to need a custom vpn client devised by o2-although they claim it is IPSec compatible). I don't think ddns would work either.
If anyone can help, I'd be much obliged.
cheers-
0r8it
10-09-2003 10:29 AM
HI Or8it!
As much as i can understand, you want a PIX to terminate sw VPN Client requests. Beeing so, you dont't need to configure those VPN Client source IPs (ISP public Internet IPs). You can configure the PIX to receive VPN requests from anywhere in the Internet as long as they the correct usernames/passwords to establish the VPN IPSec tunnels.
Regards.
10-09-2003 11:13 AM
Thanks for that, ovieira.
That's really wowed me- I've only just really started to look at vpn's, but even those I've spoken to who seem to know more than me all said that the IP addresses of all parties had to be known. That's very interesting- thanks for taking the time to reply.
0r8it
10-11-2003 01:42 PM
Only one side is required to be static.
The only caveat is that the static side cannot initiate the tunnel with the dynamic side. The dynamic side must initiate the tunnel. If no interesting traffic is generated by the dynamic side, the static side will not be able to reach the dynamic side.
Usually this is no big deal as the dynamic side is usually trying to reach resources on the static side and not vice-versa.
The following sample config is your ticket and will even allow for PC's running the Cisco VPN client software to connect as well as other PIX firewalls (at the same time, even).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide