PIX 8.x to ASA 8.x Site (static ip) to Site (dynamic ip) tunnel configuration

Hi,

I have a PIX 515e with OS 8.x (central static IP) and an ASA 5505 with OS 8.x (remote dynamic IP). We are trying to build a tunnel between the office and a home user. The office has a static IP and currently accepts Cisco VPN client (ipsec) connections without a problem.

I have tried building a tunnel using the ASDM on both ends without much success. I have been able to build it with a typical static Site to Site tunnel, but as soon as the IP changes on the home user side, it obviously drops.

I can provide the configurations if necesary, but can anyone provide a sample base config for both ends or provide any tips? I tried folowing the Cisco guides that I could find, but they are all for 7.x on the central PIX and 6.x on a remote PIX 501.

Any help is greatly appreciated.

Thank you!

-Joe

Reply to
JoeG
Loading thread data ...

Have you looked at EasyVPN?

Regards, Andrey.

Reply to
Andrey Tarasov

Hi, Yes. Actually that's how it is working now. Unfortunately it works great..... EXCEPT .. you can't configure any other tunnels. We need to have it set up so you can tunnel into the remote ASA with Cisco VPN as well.

Thanks

Reply to
JoeG

Hmm... Since remote ASA has dynamic IP, how exactly does RA VPN work in that case? I'd say if you want to have L2L tunnels and RA at remote ASA, static IP is required.

Regards, Andrey.

Reply to
Andrey Tarasov

I acutally had that portion working with DynDNS and a hostname. We just can't get the L2L site-to-site tunnel up.

Reply to
JoeG

Ah, good call!

If I remember correctly, 5510 and above can be EasyVPN client and server at the same time. Another (cheaper :-) option is to talk to ISP and see if they offer static IP.

Regards, Andrey.

Reply to
Andrey Tarasov

Unfortunately it's an ASA 5505 ... and the ISP is a cable company and they only offer static IPs to business-class plans. The cheapest of those is like $200/mo... (the remote user is a residence)

Reply to
JoeG

Here you go. ASA5510-BUN-K9 can be obtained for ~$2300 and 5505-10 for about ~$400. Question - how soon will you get break even by buying 5510 and not paying for business-class plan?

Regards, Andrey.

Reply to
Andrey Tarasov

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.