Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX515E <=> PIX506E static tunnel and more...

I need to set up two facilities with the above PIX modells. The 515E has software version 7.01 (ASDM 5.02) - the 506E has (6.3/PDM) - I need to create a static VPN tunnel between the two external interfaces which have dynamically assigned IPs (from the ISP). The 506E building does not have any servers and I want to set it up so all the broadasts and DHCP from the main building (515E) get forwarded to through the tunnel so the systems obtain their IPs and windows domain authentication from the servers in the main building. How do I go about doing that?

Thank you!

3 REPLIES
Bronze

Re: PIX515E <=> PIX506E static tunnel and more...

If both endpoints really have dynamically assigned IP addresses then there's no way to establish a reliable site-to-site tunnel between them. This makes sense if you think about it, since one end has to initiate the tunnel and it has to know the IP address of the peer. If you can manage to get a static address for at least one end then you can make it work. One way is by using wildcard pre-shared keys, but you could probably also use EzVPN in network extension mode, too, and probably even with certificates, but I haven't tried that before.

The PIX does support dhcp forwarding across a VPN tunnel (use the "dhcprelay" command), but does not support general broadcast traffic across a VPN, so you have to work around anything that normally uses broadcast traffic. For Windows networking, for example, you'll want to make sure your dhcp server hands out accurate WINS server information to the clients so they can reach them with unicast traffic.

HTH - Good Luck

Dana

New Member

Re: PIX515E <=> PIX506E static tunnel and more...

Thanks for the response. What if both ends have hostnames mapped to the dynamic addresses (using DynDNS)? I found some configuration examples but I haven't seen any where the peer would be defined by hostname (IP address only) - the hostname would have to be resolved by a DNS server each time the tunnel is established.

Bronze

Re: PIX515E <=> PIX506E static tunnel and more...

You're correct that there is no support for adding pre-shared keys by hostname, so that's not an option. However, I think what you want to do would work if you used certificates instead of pre-shared keys, since certificates contain the hostnames of the endpoints instead of the IP addresses. This would be quite a bit more work, and you'd probably either have to sign up with a certificate service or run your own, which might not be worth it to you. I haven''t done this, but here's a link to a smaple that I'd try if I were to try it:

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800946c0.shtml

Good luck!

Dana

112
Views
0
Helpful
3
Replies