I have a PIX running 6.3(5) with 5 site-to-site ipsec tunnels (static IPs) and one dynamic IP one (all using only pre-shared keys, no AAA). I'd like to allow an outside vendor access to a particular VLAN and allow them to enter from any IP address.
The dynamic IP site has a PIX 501 at it, so I assume I can upgrade to some kind of user/pass in there for it to come in with. Is it possible to terminate the dynamic connections using the local AAA database? I'm not clear on the relationship between the pre-shared key and were a user/pass comes in (regardless if it goes to radius or not).
Also, is it possible to restrict the vendor's credentials to a particular VLAN and always give them the same IP address on that VLAN? The current setup doesn't give anyone IP addresses including the dynamic site. It just routes. I have access to an ACS server but would like to keeps things as simple as possible.
I also have a 1811 that's currently a VPN between another vendor and the back of their server here. Would it be easier and less disruptive to try and do it on this one? I'm not sure of the 1811's capabilities in this respect. But it might keep "outsiders" on their own router and off of the other firewall.