Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
3
Replies

PIX- VPN on an IP range? Is it possible?

0r8it
Level 1
Level 1

‎10-09-2003 07:45 AM - edited ‎02-21-2020 12:49 PM

Hi there- I wonder if someone out there

could help me sanity check the following:-

The scenario we have is:

we have a customer who wants to set up a VPN, at fairly low cost. They operate a fleet of ships which periodically come into dry dock.

While in dock, they wish to be able to access their corporate LAN via VPN- no VPN exists at present. We have identified GPRS as being about the only transmission medium available that meets their needs in terms of cost, bandwidth and mobility.

What they are after is a form of VPN: I suggested a Cisco PIX- I'm thinking about a 501- as vpn terminator at their headquarters.

The complication is: we won't know for definite what their inbound ip address will be, as their GPRS dial-up ISP operates dhcp, which will make vpn config creation difficult. However, I do know what range of IP addresses the ISP (it is o2 in the UK, the mobile

phone company) hand out from their address pool.

So: my question is- can a config be defined on the PIX 501 that will allow a vpn tunnel to be created from a known range of ip addresses, rather than a single ip?

BTW: I've ruled out Cisco's 'Easy VPN' service, as we will not have Cisco kit at both ends (VPN over o2 GPRS dial-up connection would seem to need a custom vpn client devised by o2-although they claim it is IPSec compatible). I don't think ddns would work either.

If anyone can help, I'd be much obliged.

cheers-

0r8it

Labels:
0 Helpful
3 Replies 3

ovieira
Level 1
Level 1

‎10-09-2003 10:29 AM

HI Or8it!

As much as i can understand, you want a PIX to terminate sw VPN Client requests. Beeing so, you dont't need to configure those VPN Client source IPs (ISP public Internet IPs). You can configure the PIX to receive VPN requests from anywhere in the Internet as long as they the correct usernames/passwords to establish the VPN IPSec tunnels.

Regards.

0 Helpful

0r8it
Level 1
Level 1
In response to ovieira

‎10-09-2003 11:13 AM

Thanks for that, ovieira.

That's really wowed me- I've only just really started to look at vpn's, but even those I've spoken to who seem to know more than me all said that the IP addresses of all parties had to be known. That's very interesting- thanks for taking the time to reply.

0r8it

0 Helpful

teshreve
Level 1
Level 1

‎10-11-2003 01:42 PM

Only one side is required to be static.

The only caveat is that the static side cannot initiate the tunnel with the dynamic side. The dynamic side must initiate the tunnel. If no interesting traffic is generated by the dynamic side, the static side will not be able to reach the dynamic side.

Usually this is no big deal as the dynamic side is usually trying to reach resources on the static side and not vice-versa.

The following sample config is your ticket and will even allow for PC's running the Cisco VPN client software to connect as well as other PIX firewalls (at the same time, even).

http://www.cisco.com/warp/public/110/dynamicpix.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents