Comments inline:
----- Original Message -----
From: "Tom McNamara"
To:
Sent: Thursday, June 21, 2001 10:41 AM
Subject: Simple VPN [7:9358]
> I have a client that wants me to setup a VPN between multiple locations.
> They have three sites. The Host site will be getting a 1720 router and
> connect to the Internet using 768k Frame Relay. The two remote locations
> will be connecting to the Internet using an Cisco 802 with 128k Dialup
ISDN.
> They are in a rural area that does not have DSL available and Frame is
cost
> prohibitive.
>
> So, looking at the solution I am running into some problems/questions.
>
> 1) The ISP is going to provide only three IPs for the Frame connection, so
I
> have to use NAT. Since I want to use IPSec VPNs, is that going to be a
> problem? Many things on CCO indicate that it is.
It will work with NAT, not PAT. You have to make an access-list that
disables NAT for destinations on the other side of the VPN tunnel. PAT
implies only one IP address on the outside interface & no pool...which won't
work.
>
> 2) Since the 802's are dialup ISDN and I cannot get a static IP from the
> ISP, what is going to be the best method for securing the tunnels?
Ewww...ummm...ummm....crap. I'm not 100% sure but my first idea to
investigate would be allowing the tunnel from the entire subnet of the ISP's
so the other end can initiate the tunnel. Make SURE you have a very good
pre-shared key that can't be guessed if you do this. It's a security hole
through the ISP and the password would be your only defense.
>
> Also, I guess if anyone has any better suggestions (that won't break the
> bank) please let me know. The 1720 is already purchased, however I will
> have to upgrade the IOS to Firewall feature set.
Maybe a GRE tunnel instead? IPSec is a much better solution but if you're
looking for cheap, that's the only alternative I can think of.
>
> One other thing, I am considering a 506 Firewall at the host site, however
I
> am not sure how that will affect things since I am so limited on IP
> addresses from the ISP side.
>
If you have static IPs and can assign one dedicated to the outside interface
and at least one extra for NAT pooling, it will work. HOWEVER, the 506 is
limited to only 4 peers for VPN tunnels. Keep that in mind for future
growth before deciding to go with the low end 506.
>
> Thanks in advance for any advice/assistance.
>
>
>
> Tom McNamara, MCSE, CCNA
> McNamara Professional Services
> (407)925-4904 Phone
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9369&t=9358
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
