Hey Dave,
The easiest way to accomplish this is to use the EasyVPN features of the
PIX. This enables smaller model routers/PIXen to function just like a
Software VPN client. It also saves you from having to create a full
phase1&2 policy on the 501s. It also supports dynamic IP addresses (just
like it does for Software VPN clients).
This is accomplished on the main office PIX by:
*creating a standard phase 1 policy (using the "isakmp policy"
commands);
*creating a "vpngroup" for each site (or alternatively, creating
a single "vpngroup" and then using Xauth ontop);
*creating a dynamic crypto map; and
*creating a crypto map and adding the dynamic crypto map to it.
On the client (the 501s), it's simply a matter of adding the following:
*enable the "vpnclient" feature and enter the relevant syntax
(vpngroup username and password).
Of course, the above is an abbreviated instruction set, but you can find
detailed instructions on Cisco's website:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a008019e6d7.shtml
Hope this helps.
Regards,
Jason Ha [CISSP, CCSE, JNCIS-FWV, CSPFA]
Senior Security Engineer,
Security Operations Centre
VeriSign Asia Pacific
-----Original Message-----
From: Dave Nardoni [mailto:dnardoni@firstresponseconsulting.com]
Sent: Friday, June 24, 2005 11:54 PM
To: firewalls@securityfocus.com
Subject: PIX 501
Is anyone aware of any problems with setting up site to site VPN's with
PIX's where the sites have dynamic IP's. Situation is I have to link a
bunch of branch offices to main office and all branch offices are DSL or
cable modems that have dynamic and do not have static IP's. Any
problems or gotcha's that anyone is aware of, one thing I am concerned
about is when the lease expires will the VPN go down and come back up
correctly? How is this handled?
Anyway thanks in advance for any comments,
David Nardoni CISSP, EnCE
dnardoni@firstresponseconsulting.com
PGP Signature: 9CE4 C240 BBC7 2945 BDD6 C97A 0E3D 2547 DB0A 104C
