Re: Public address forVPN Tunnel

From: Chad Hintz (ccie_2b2004@yahoo.com)
Date: Mon Jun 06 2005 - 19:40:01 GMT-3

• Next message: gladston@br.ibm.com: "Re: RE: ISDN, OSPF hello packets [bcc][faked-from][bayes]"
• Previous message: marvin greenlee: "RE: ISDN, OSPF hello packets [bcc][faked-from][bayes]"
• Maybe in reply to: Matt Mullen: "Re: Public address forVPN Tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You would be able to do this as a Hub(515e-static ip) and 5 spokes (501-dynamic ip) using ez vpn. The 515e would be the server and each cleint 501 would be able to come into it. Also make sure isakmp nat-traversal is applied on the hub because you will be coming from behind NAT from the client side.
 
Here is the link on how to configure EZ vpn.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/basclnt.htm#wp1053201
 
HTH,
 
Chad

john matijevic <john.matijevic@gmail.com> wrote:
Hello Matt,
7.0 version code is not available for PIX 501.
Richard,
I have the setup deployed in production environment that you mention and we
have static ip addresses assigned, im not saying that dynamic addresses wont
work, but I do have it working with static addresses, please contact me
offline if you would like to discuss further.
Sincerely,
John

On 6/3/05, Richard Anderson wrote:
>
> Hi Matt,
>
> Assuming PIX 501 will act just like a Software VPN Client, wouldn't it
> work.
> Just to clarify, I am only talking about configuring PIX 501 at 5
> locations
> connecting only back to PIX 515 at corporate location. There won't be any
> spoke-to-spoke connectivity, just simple (1) Hub and 5(Spokes).
>
> Thanks,
>
> ----- Original Message -----
> From: "Matt Mullen"
> To: "Richard Anderson"
> Cc: "Group Study"
> Sent: Friday, June 03, 2005 11:16 AM
> Subject: Re: Public address forVPN Tunnel
>
>
> > Hi Richard,
> >
> > With PIX 6.3(x) code it would not be possible to have spoke-to-spoke
> > connectivity due to a limitation of the PIX not being able to route
> > traffic back out the same interface on which it was received. PIX 7.0
> > code is supposed to address this issue but I have not had a chance to
> > test this as of yet.
> >
> > Thanks,
> > Matt
> >
> > On 6/1/05, Richard Anderson wrote:
> > > Hi Matt,
> > >
> > > Thanks for your help. One more questions
> > >
> > > Can EZVPN work in a hub and spoke topology? I have got 6 remote
> locations
> > > with PIX 501 that will need access to PIX515 at Corporate Office..
> > >
> > > Thanks again,
> > >
> > > ----- Original Message -----
> > > From: "Matt Mullen"
> > > To: "Richard Anderson"
> > > Cc:
> > > Sent: Tuesday, May 24, 2005 7:58 AM
> > > Subject: Re: Public address forVPN Tunnel
> > >
> > >
> > > Richard,
> > >
> > > One way of solving this problem would be to configure the 515 as an
> > > EZVPN server and the 501 as an EZVPN client. This will allow the 501
> > > to function very similar to the Cisco VPN Client software so that it
> > > can connect regardless of the dynamic ip address. The configuration
> > > of the 515 will also be similar to the config used to support software
> > > VPN clients. If your 515 is already configured to support VPN Client
> > > software, then all you need to do is configure the 501 as an EZVPN
> > > client.
> > >
> > >
>
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/
basclnt.htm
> > >
> > > HTH,
> > > Matt
> > >
> > >
> > > On 5/23/05, Richard Anderson wrote:
> > > > I am setting up a VPN Tunnel between corporate PIX 515E and a PIX
> 501
> at
> > > > home. At home, the client has cable Modem/DSL connection with
> dynamic
> > > > address. Won't it be a problem configuring a dynamic public address
> for
> > > > establishing a successful tunnel. Does it require to have a static
> IP
> > > > address at home location from the ISP?
> > > >
> > > > Regards,
> > > >
> > > > Richard
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

--
John Matijevic, CCIE #13254
U.S. Installation Group
Senior Network Engineer
954-969-7160 ext. 1147 (office)
305-321-6232 (cell)

• Next message: gladston@br.ibm.com: "Re: RE: ISDN, OSPF hello packets [bcc][faked-from][bayes]"
• Previous message: marvin greenlee: "RE: ISDN, OSPF hello packets [bcc][faked-from][bayes]"
• Maybe in reply to: Matt Mullen: "Re: Public address forVPN Tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3