I need to set up two facilities with the above PIX modells. The 515E has software version 7.01 (ASDM 5.02) - the 506E has (6.3/PDM) - I need to create a static VPN tunnel between the two external interfaces which have dynamically assigned IPs (from the ISP). The 506E building does not have any servers and I want to set it up so all the broadasts and DHCP from the main building (515E) get forwarded to through the tunnel so the systems obtain their IPs and windows domain authentication from the servers in the main building. How do I go about doing that?
If both endpoints really have dynamically assigned IP addresses then there's no way to establish a reliable site-to-site tunnel between them. This makes sense if you think about it, since one end has to initiate the tunnel and it has to know the IP address of the peer. If you can manage to get a static address for at least one end then you can make it work. One way is by using wildcard pre-shared keys, but you could probably also use EzVPN in network extension mode, too, and probably even with certificates, but I haven't tried that before.
The PIX does support dhcp forwarding across a VPN tunnel (use the "dhcprelay" command), but does not support general broadcast traffic across a VPN, so you have to work around anything that normally uses broadcast traffic. For Windows networking, for example, you'll want to make sure your dhcp server hands out accurate WINS server information to the clients so they can reach them with unicast traffic.
Thanks for the response. What if both ends have hostnames mapped to the dynamic addresses (using DynDNS)? I found some configuration examples but I haven't seen any where the peer would be defined by hostname (IP address only) - the hostname would have to be resolved by a DNS server each time the tunnel is established.
You're correct that there is no support for adding pre-shared keys by hostname, so that's not an option. However, I think what you want to do would work if you used certificates instead of pre-shared keys, since certificates contain the hostnames of the endpoints instead of the IP addresses. This would be quite a bit more work, and you'd probably either have to sign up with a certificate service or run your own, which might not be worth it to you. I haven''t done this, but here's a link to a smaple that I'd try if I were to try it:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...