Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
7
Replies

VPN with a dynamic Outside IP

beckettair
Level 1
Level 1

‎11-26-2002 05:35 AM - edited ‎02-21-2020 12:11 PM

I currently have a Cisco 677 ADSL unit connected to our ISP using a dynamic IP. A PIX 506E is used as a firewall that connects the 677 to our corporate network. The current configuration allows users on our corporate network to access the internet. But, we also would like to allow remote users to access our corporate network using a VPN connection. Is this possible using just one dynamic IP? I have registered with a dynamic DNS service so that remote users can point back to us - but it seems that I am only pinging back to the 677 and am not able to get through to the PIX. Am I missing something? Thanks in advance for any help on this.

Labels:
0 Helpful
7 Replies 7

kdurrett
Level 3
Level 3

‎11-26-2002 08:13 AM

It is possible but not with your current equipment. The pix doesnt support a IPSEC/NAT connection. VPN3000 does. The pix requires that you have a static or NAT (one2one) translation in order to connect with the vpn client. You could set up a Lan2Lan tunnel, but your 677 doesnt support that. Need a pix or a router on your client side.

Kurtis Durrett

0 Helpful

beckettair
Level 1
Level 1
In response to kdurrett

‎11-26-2002 08:24 AM

Thanks for the response.

So, If I understand correctly, getting a static IP from our ISP is my only solution with the current hardware?

Chris

0 Helpful

kdurrett
Level 3
Level 3
In response to beckettair

‎11-26-2002 08:46 AM

Well, your ip address can be done through DHCP, as long as you are not being port address translated by the isp, you will need to have a public ip address. The 677 acts like a bridge right? So the ip address you get from the isp should be on your PC? winipcfg. If this is the case you should be able to connect to the pix. If you are using ICS though and trying to connect additional pc's, then yes you will need more ip's for those pc's.

Kurtis Durrett

0 Helpful

beckettair
Level 1
Level 1
In response to kdurrett

‎11-26-2002 09:02 AM

Currently, the 677 is set up in Routing mode. NAT is enabled. DHCP is disabled. Should it be in Bridging mode?

0 Helpful

kdurrett
Level 3
Level 3
In response to beckettair

‎11-26-2002 09:29 AM

So the 677 is doing nat for your pc. If you only have one pc, then you can set it up in bridging mode so that the 1 ip goes straight to your pc. Then things should be fine. If you have multiple pc's, then you will have to get multiple ip's or get like another device to do a L2L tunnel.

Kurtis

0 Helpful

beckettair
Level 1
Level 1
In response to kdurrett

‎11-26-2002 09:34 AM

Oh boy, I don't think that will work since the outbound side is serving the corporate network for browsing the internet. So, internally the 677 is being shared by many PCs to gain access to the internet. Am I stuck?

0 Helpful

kdurrett
Level 3
Level 3
In response to beckettair

‎11-26-2002 10:23 AM

Sorry to tell you, but yes you are. You have a couple of options, Cisco solution, both include more equipment.

1. Terminate your tunnel at a vpn3000 concentrator instead of pix

2. Create a L2L tunnel on the client side, cheap solution is a pix 501(other vendors as well). Or you can get like a 806 or use a ubr900 instead of the 677.

3. Wait for 6.3 on pix due to come out sometime early next year. I hear from other post that this will have the nat traversal feature. Contact your local cisco account rep for more information.

Kurtis Durrett

0 Helpful
Customers Also Viewed These Support Documents