Pix-to-Pix VPN between dynamic IPs needed!

Tech_Lady · 05-19-2008, 08:21 AM

I need some guidance and hope someone here can help. I have a network with 8 physical locations. Currently the main office has a static IP address and a Cisco 506e PIX that is connected to all other locations' Cisco 501 PIX via VPN. This gives everyone access to the main server and files. I would like to establish VPN connectivity from all locations to the others to get a full mesh network and allow employees working temporarily at any location access to the server at their native location. Is this possible with dynamic external IPs? All locations are within the network and are assigned non-routable local addresses so maybe there's a way to use DNS to estalish the VPNs. I'm fairly new at PIX configs and would appreciate any input. THANKS.

Tekmazter · 05-22-2008, 04:50 PM

There is a specific tech note on how to do this on CISCO.com. It's specific to exactly what you're talking about here. One word of caution, for a configuration like this I'd also suggest looking into using a certificate to further increase security when it comes to authentication.

Also, PIX's are EOL ... ASA's are pretty much everywhere these days. If you have the funding/budget, I highly suggest upgrading. They are w/o a doubt a very nice improvement from both a management and security standpoint.

Tekmazter · 05-22-2008, 05:20 PM

so I went and hunted it down ... check out the following (gui pics are of ASA but PIX applies)

http://www.cisco.com/en/US/products/...806c1cd5.shtml

Tech_Lady · 05-23-2008, 08:34 AM

Am I missing something? I looked at the link and it simply states how to set up DHCP. I see nothing about the secure VPN establishment which I need but can't figure out how to do. Maybe I'm missing something - I'm not being a smart ***.

I know that the PIXs are on the way out, but the funding is not available to replace 8 of them right now, so we'll have to do for a bit longer.

I did get a suggestion that Linksys WRT54GL routers (which are cheap) can have Linux-based 3rd party firmware upgrades that will allow the VPN establishment without a problem using OpenWRT and OpenVPN, but I have zippo experience with that. Any knowledge of such a thing?

Thanks.

Tekmazter · 05-23-2008, 08:44 AM

I have actually used dd-wrt and have it currently running on an older Linksys box at my house now. I'm not sure with the new Linksys if the community is still as strong for the firmware upgrades. When CISCO gobbled up Linksys and switched around all of the code and there was talk of abandoning the project (at least for Linksys) due to the inability to get at the source.

I'll take another look at the link ... perhaps I paste it in haste. I'm sure there is one however on how to setup an IPsec tunnel between peers who are on the _net via DHCP.

Tekmazter · 05-23-2008, 08:51 AM

The premise at least in this document is that the 3000 Concentrator accepts a default preshared key. Then the PIX acts like a VPN client when accessing nulling the requirement it come from a specific IP Address.

This may only give you 1/2 of the equation though. I am not sure if the PIX be forced to do the same thing. In any event, this should get you moving the right direction.

http://www.cisco.com/en/US/products/...801dd672.shtml

You might be able to make sense of the 3000 Concentrator side and apply it to your PIX depending on your level of exp with IPsec tunnels.

Tekmazter · 05-23-2008, 09:14 AM

This should help out a little more as it has a PIX accepting inbound IPsec tunnels from another PIX setup with DHCP on its outside interface:

http://www.cisco.com/en/US/products/...80094680.shtml

Tech_Lady · 05-27-2008, 06:53 AM

Thanks for the info. I'll read through the information. The second scenario is what we currently have set up with a Dynamic to Static VPN with the main office (which has a static IP) from each remote location, but doesn't seem to have a solution for Dynamic to Dynamic VPNs. I'm beginning to think that the PIX 501 doesn't have that capability, but I could be wrong. I'll check out the articles more closely and see what I find.

Tekmazter · 05-27-2008, 06:57 AM

Quote:

Originally Posted by Tech_Lady

I'll check out the articles more closely and see what I find.

Do you have a SmartNet on this 501? You could also ring the TAC

Tech_Lady · 05-28-2008, 06:08 AM

What a wonderful idea. I do have Smartnet on all the 501s, although my experience with the TAC system is that the left hand never knows what the right hand is doing. It's worth a shot. Thanks for the idea.

05-19-2008, 08:21 AM	#1 (permalink)
Tech_Lady Registered User Join Date: Apr 2008 Posts: 6 OS: Multiple PCs - Most with XP SP2	Pix-to-Pix VPN between dynamic IPs needed! I need some guidance and hope someone here can help. I have a network with 8 physical locations. Currently the main office has a static IP address and a Cisco 506e PIX that is connected to all other locations' Cisco 501 PIX via VPN. This gives everyone access to the main server and files. I would like to establish VPN connectivity from all locations to the others to get a full mesh network and allow employees working temporarily at any location access to the server at their native location. Is this possible with dynamic external IPs? All locations are within the network and are assigned non-routable local addresses so maybe there's a way to use DNS to estalish the VPNs. I'm fairly new at PIX configs and would appreciate any input. THANKS.

05-22-2008, 04:50 PM	#2 (permalink)
Tekmazter Registered User Join Date: May 2008 Posts: 95 OS: XP / 2K3 / RHE / HP-UX	Re: Pix-to-Pix VPN between dynamic IPs needed! There is a specific tech note on how to do this on CISCO.com. It's specific to exactly what you're talking about here. One word of caution, for a configuration like this I'd also suggest looking into using a certificate to further increase security when it comes to authentication. Also, PIX's are EOL ... ASA's are pretty much everywhere these days. If you have the funding/budget, I highly suggest upgrading. They are w/o a doubt a very nice improvement from both a management and security standpoint.

05-22-2008, 05:20 PM	#3 (permalink)
Tekmazter Registered User Join Date: May 2008 Posts: 95 OS: XP / 2K3 / RHE / HP-UX	Re: Pix-to-Pix VPN between dynamic IPs needed! so I went and hunted it down ... check out the following (gui pics are of ASA but PIX applies) http://www.cisco.com/en/US/products/...806c1cd5.shtml

05-23-2008, 08:34 AM	#4 (permalink)
Tech_Lady Registered User Join Date: Apr 2008 Posts: 6 OS: Multiple PCs - Most with XP SP2	Re: Pix-to-Pix VPN between dynamic IPs needed! Am I missing something? I looked at the link and it simply states how to set up DHCP. I see nothing about the secure VPN establishment which I need but can't figure out how to do. Maybe I'm missing something - I'm not being a smart ***. I know that the PIXs are on the way out, but the funding is not available to replace 8 of them right now, so we'll have to do for a bit longer. I did get a suggestion that Linksys WRT54GL routers (which are cheap) can have Linux-based 3rd party firmware upgrades that will allow the VPN establishment without a problem using OpenWRT and OpenVPN, but I have zippo experience with that. Any knowledge of such a thing? Thanks.

05-23-2008, 08:44 AM	#5 (permalink)
Tekmazter Registered User Join Date: May 2008 Posts: 95 OS: XP / 2K3 / RHE / HP-UX	Re: Pix-to-Pix VPN between dynamic IPs needed! I have actually used dd-wrt and have it currently running on an older Linksys box at my house now. I'm not sure with the new Linksys if the community is still as strong for the firmware upgrades. When CISCO gobbled up Linksys and switched around all of the code and there was talk of abandoning the project (at least for Linksys) due to the inability to get at the source. I'll take another look at the link ... perhaps I paste it in haste. I'm sure there is one however on how to setup an IPsec tunnel between peers who are on the _net via DHCP.

05-23-2008, 08:51 AM	#6 (permalink)
Tekmazter Registered User Join Date: May 2008 Posts: 95 OS: XP / 2K3 / RHE / HP-UX	Re: Pix-to-Pix VPN between dynamic IPs needed! The premise at least in this document is that the 3000 Concentrator accepts a default preshared key. Then the PIX acts like a VPN client when accessing nulling the requirement it come from a specific IP Address. This may only give you 1/2 of the equation though. I am not sure if the PIX be forced to do the same thing. In any event, this should get you moving the right direction. http://www.cisco.com/en/US/products/...801dd672.shtml You might be able to make sense of the 3000 Concentrator side and apply it to your PIX depending on your level of exp with IPsec tunnels. Last edited by Tekmazter : 05-23-2008 at 08:57 AM.

05-23-2008, 09:14 AM	#7 (permalink)
Tekmazter Registered User Join Date: May 2008 Posts: 95 OS: XP / 2K3 / RHE / HP-UX	Re: Pix-to-Pix VPN between dynamic IPs needed! This should help out a little more as it has a PIX accepting inbound IPsec tunnels from another PIX setup with DHCP on its outside interface: http://www.cisco.com/en/US/products/...80094680.shtml

05-27-2008, 06:53 AM	#8 (permalink)
Tech_Lady Registered User Join Date: Apr 2008 Posts: 6 OS: Multiple PCs - Most with XP SP2	Re: Pix-to-Pix VPN between dynamic IPs needed! Thanks for the info. I'll read through the information. The second scenario is what we currently have set up with a Dynamic to Static VPN with the main office (which has a static IP) from each remote location, but doesn't seem to have a solution for Dynamic to Dynamic VPNs. I'm beginning to think that the PIX 501 doesn't have that capability, but I could be wrong. I'll check out the articles more closely and see what I find.

05-28-2008, 06:08 AM	#10 (permalink)
Tech_Lady Registered User Join Date: Apr 2008 Posts: 6 OS: Multiple PCs - Most with XP SP2	Re: Pix-to-Pix VPN between dynamic IPs needed! What a wonderful idea. I do have Smartnet on all the 501s, although my experience with the TAC system is that the left hand never knows what the right hand is doing. It's worth a shot. Thanks for the idea.