Each remote site is using a Cable Modem supplied by the ISP so the PIX is using DHCP to get it's outside IP address, in the docs it does say not to use Network-Extension mode if the IP is dynaimcally assigned, wlthough I can't see why.

I want to use some form of xauth for the remote 501's even if it's just a username entry on the head end. As I see it if a 501 is stolen from a remote site then connected elsewhere a VPN connectino will be established to our internal network without the need to supply a username and password. At least using a username entry on the head PIX I could just delete the specific entry for that remote site then the tunnel wouln't comeup.

Thanks

If I just throw in a pennyworth.

If you're concerned about the fact that a remote site might succomb to light fingers, if you configure the central pix for ISKMP keys to authenticate the remotes, this might be a workaround for you because when you're told a pix has gone awol, you remove the relevant key.

I appreciate that the IP are dynamic at the remote, but they rarely change and if they do, you could quickly reconfigure the main pix to sort it out, probably after getting a call from a remote saying they can't log into the network.

apologies if I'm leading you up a blind alley here

Steve

I've got IKE working with AAA now, so I've got an account on the ACS server....So I'm nearly there now!