One of our VP's decided that it was a great idea that we connect to our clients via VPN for support solutions. We have approx 140 clients that we currently use 2 as5350's to dial into their systems. We have all kicked around the idea of giving the clients a 506e and we use a 515e w/ VPN acceleratior. Now I know we can get everyone connected but there is still some liability here also some IP addressing issues. If we do this is there away that the clients can configure logon hours or connection hours for support on their box so no one can access after hours unless they permit it? Also through a point-to-point is there away that after the tunnel is connect the end user in our company has to authenticate to either our PIX or the clients PIX? These are untrusted networks. Also we use a 10.0.16.0/22 on our lan, so if I am not mistaken if we were to create a point-to-point no one on the back end can have the same address space, or either of the client s can have the same name space cause the PIX wouldnt know which VPN to send the traffic right? or can this be done through NAT rules. Any feed back would be appriciated.
My thoughts were install a 506e at the client site for remote VPN connections, then use the VPN client to connect in. To me this not only seems more secure to open one PC on our LAN to the client then to open all PC's to the connection.
My number one concern is security and viruses. not the ease of the connection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...