Site to Site VPN Tunnel with Dynamic IP using PIX and ASA

Unanswered Question
Jul 14th, 2009

Here is the situation we have a remote site in a third party's location where they refuse to statically NAT us an outside IP. Our outside IP doesn't change often so usually VPN works ok but not so much as of lately.

The problem is we need to directly address devices on the remote end so AFAIK EZVPN won't work because it NAT's all the connection.

Is there any way to make this work with the current hardware, ASA running 8.0 code and PIX 501 with 6.35 code?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Tue, 07/21/2009 - 07:31

So, is one end with a "dynamic ip address" and another with a static ip address? If so then next question will be which side needs to start the connection to which side? The dynamic to the static? or the static to the dynamic?

So if you have one dynamic and one static you can either have ezvpn or dynamic-to-static lan to lan, the catch here is that the one with the dynamic ip address always needs to start the connection to the one with static ip address, this is for both tunnel and traffic over the tunnel. Once the bidirectional tunnel is up, you can have bidirectional communication.

Actions

This Discussion