I have the following topology. R1 with firewall features, R2 and ACS belong to Customer A, while R3 with firewall features and VPN concentrator belong to Customer B.
The requirement is for User which is a mobile user of Customer A to connect to Customer?s B VPN concentrator and open a IPSEC connection using Cisco VPN client.
User must also be authenticated when entering Customer A network and I am considering proxy authentication. So, before opening the vpn client, the user will initiate an http connection to R1 and authenticate itself to the ACS server using a username/password. If authentication is successful, an entry will be downloaded to the R1 inbound access-list to allow traffic from the IP of the authenticated user to the IP of the VPN concentrator.
The problem is that Customer B needs to know the IP addresses of users with vpn clients so that it can allow only traffic from this IP passing through R3 FW.
Since this is a mobile user it can connect from different places so he does not use a single IP.
Here are my thoughts/questions to address this issue:
1. Is it possible to assign User with a static IP when authentication with the ACS along with proxy authentication?
2. Can I use NAT outside at R1 so I translate user IP to a static IP? Do you see any issue with this implementation?
3. Is there another solution to achieve the above: 1. authentication of mobile users and static IP assignment?