07-09-2003 04:28 AM - edited 02-21-2020 12:39 PM
PIX 501 at remote sites and PIX 525 in central site. What's the difference between a EzVPN and Site-to-Site VPN tunnel?
Which is the best method to use?
07-09-2003 03:52 PM
If you don't need to contact each of the machines behind each 501 from the central site, then just use EzVPN in client mode, it simplifies the configuration on both devices (especially the head end) significantly.
If you do need to contact each individual machine behind the 501's, you can use either a L2L or EzVPN in Network-Extension mode. Functionally there's really not much difference, but again the config on the head is significantly easier with EzVPN rather than a L2L tunnel
07-09-2003 11:52 PM
Each remote site is using a Cable Modem supplied by the ISP so the PIX is using DHCP to get it's outside IP address, in the docs it does say not to use Network-Extension mode if the IP is dynaimcally assigned, wlthough I can't see why.
I want to use some form of xauth for the remote 501's even if it's just a username entry on the head end. As I see it if a 501 is stolen from a remote site then connected elsewhere a VPN connectino will be established to our internal network without the need to supply a username and password. At least using a username entry on the head PIX I could just delete the specific entry for that remote site then the tunnel wouln't comeup.
Thanks
07-10-2003 02:11 AM
If I just throw in a pennyworth.
If you're concerned about the fact that a remote site might succomb to light fingers, if you configure the central pix for ISKMP keys to authenticate the remotes, this might be a workaround for you because when you're told a pix has gone awol, you remove the relevant key.
I appreciate that the IP are dynamic at the remote, but they rarely change and if they do, you could quickly reconfigure the main pix to sort it out, probably after getting a call from a remote saying they can't log into the network.
apologies if I'm leading you up a blind alley here
Steve
07-10-2003 02:16 AM
I've got IKE working with AAA now, so I've got an account on the ACS server....So I'm nearly there now!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide