I have a remote LAN which locates inside another company. I would like to set up so that the headquarter LAN can access resources of that remote LAN. The remote LAN does not have any public IP address but it can go thru the other company's network to go to the Internet.
Does site-to-site ipsec work in this case ? Or any other solution can help the main LAN to access to remote LAN ?
Thanks,
DT
Yes, site-to-site ipsec *can* work in such cases, but it depends upon the equipment and software version as to whether it can be configured. Also, if the connection is lost between HQ and the remote LAN for any reason, then it would have to be the remote LAN that requested the connection to HQ, unless the other company is willing to reserve a static public IP that gets NAT'd to their internal private IP.
There is one setup where the HQ can connect more readily to the remote LAN, and that is if DMVPN is configured. DMVPN is available on some of the routers (including the 87x I believe) but it is not available in PIX 6, and I don't know if it is available in PIX 7 or PIX 8 or the ASAs.
Thanks, Walter. I tried this and it works. And as you said, yes, the remote LAN has to initiate the connection. Is it possible to have the remote router to initiatie the connection by itself ? Or do I have some external device ( PC, server ) on the remote site to do that ?
DT
Ther may be an "official" way to do this, don't know, but one workaround that I have used in the past on routers is
ntp server far-side-of-vpn ntp source inside-interface-address
This generates periodic traffic from the inside of the router to the target which may stimulate the VPN.
Make sure you understand if you will get sufficiently frequent traffic for your needs.
Also consider SAA (now renamed again I think). This is a much better plan.
Another alternative is to try to make sure the VPN never goes down say by pinging from the centre but that will never be completely reliable since if the pings stop for any reason then the VPN will not be recoverable from the outside except by some intervention using the external address of the router.
Thanks. I will use this trick in this particular case: the remote system has no "users". They have only several printers.
Never use SAA. Will ( learn and ) try it.
Thanks. DT
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.