we have a customer who wants to set up a VPN, at fairly low cost. They operate a fleet of ships which periodically come into dry dock.
While in dock, they wish to be able to access their corporate LAN via VPN- no VPN exists at present. We have identified GPRS as being about the only transmission medium available that meets their needs in terms of cost, bandwidth and mobility.
What they are after is a form of VPN: I suggested a Cisco PIX- I'm thinking about a 501- as vpn terminator at their headquarters.
The complication is: we won't know for definite what their inbound ip address will be, as their GPRS dial-up ISP operates dhcp, which will make vpn config creation difficult. However, I do know what range of IP addresses the ISP (it is o2 in the UK, the mobile
phone company) hand out from their address pool.
So: my question is- can a config be defined on the PIX 501 that will allow a vpn tunnel to be created from a known range of ip addresses, rather than a single ip?
BTW: I've ruled out Cisco's 'Easy VPN' service, as we will not have Cisco kit at both ends (VPN over o2 GPRS dial-up connection would seem to need a custom vpn client devised by o2-although they claim it is IPSec compatible). I don't think ddns would work either.
As much as i can understand, you want a PIX to terminate sw VPN Client requests. Beeing so, you dont't need to configure those VPN Client source IPs (ISP public Internet IPs). You can configure the PIX to receive VPN requests from anywhere in the Internet as long as they the correct usernames/passwords to establish the VPN IPSec tunnels.
That's really wowed me- I've only just really started to look at vpn's, but even those I've spoken to who seem to know more than me all said that the IP addresses of all parties had to be known. That's very interesting- thanks for taking the time to reply.
The only caveat is that the static side cannot initiate the tunnel with the dynamic side. The dynamic side must initiate the tunnel. If no interesting traffic is generated by the dynamic side, the static side will not be able to reach the dynamic side.
Usually this is no big deal as the dynamic side is usually trying to reach resources on the static side and not vice-versa.
The following sample config is your ticket and will even allow for PC's running the Cisco VPN client software to connect as well as other PIX firewalls (at the same time, even).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...