Jffishbones
asked on
What is the best vpn solution for temporary satellite offices.
Hello and thanks in advance for any help you can give me.
Here is the scenario:
Our network is Cisco based PIX. We have 8 plants throughout the US and are opening more soon. Our current configuration is each plant has 2 T1 one for WAN and one for internet. Our PiX are configured with crypto maps to all other sites for WAN failover. My problem is we are launching new plants and I have users in Hotel conference rooms with a single internet connection that I need to make into a satelite office. Does anyone have a good way to make this happen. I would like a simple solution that involves mininmal equipment.
Thanks.
The PIX came with the Cisco VPN Client. You can use this for your IPSec connectivity.
ASKER
Only prlbem with the vpn client is you can only have one tunnel from the source ip at a time where
i need multiple users accessing vpn concentrator from same source ip (Hotel Conference Room over cabel or dsl)
You can have multiple VPN clients running behind a single NAT address. VPN NAT traversal is based around a hash of the REAL address (eg 10.0.0.1) and the destination address (your VPN server), so as long as each client in the hotel has a different private IP address - eg 10.0.0.1, 10.0.0.2 then this really doesn't matter.
Cisco Easy VPN Config instructions here:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html
Cisco Easy VPN Config instructions here:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html
Theoretically, you could get a Linksys that does end point termination. Then everyone behind it goes through the tunnel. You could buy them pretty cheap, configure everything in house, and then ship them out to the remote site for user installation.
Certain older model linksys/netgear router doesn't understand IPSec very well (second VPN attempt will kill the first one), on the cisco VPN software, you can check "IPSec over UDP" in the transport tab of your VPN profile, that way, even a cheap linksys would not be confused by IPSec. We have a similar case and it works well for us.
ASKER
We use the Cisco vpn client with ipsec / udp already problem is our vpn concentrator will not allow more then
one connection at our corporate office from the same network.
Also, once we establish a vpn to the corporate office how can we get the traffice to route to all other plants
which are connected via WAN.
one connection at our corporate office from the same network.
Also, once we establish a vpn to the corporate office how can we get the traffice to route to all other plants
which are connected via WAN.
>>We use the Cisco vpn client with ipsec / udp already problem is our vpn concentrator will not allow more then
one connection at our corporate office from the same network.
This is a problem on your corporate office side. So, if my neighbor and I are on the same broadband network and presumably the same IP network, we could not both do VPN at the same time?
>>Also, once we establish a vpn to the corporate office how can we get the traffice to route to all other plants
which are connected via WAN.
This is simple with routing. You route your vpn network as you would any other internal net.
one connection at our corporate office from the same network.
This is a problem on your corporate office side. So, if my neighbor and I are on the same broadband network and presumably the same IP network, we could not both do VPN at the same time?
>>Also, once we establish a vpn to the corporate office how can we get the traffice to route to all other plants
which are connected via WAN.
This is simple with routing. You route your vpn network as you would any other internal net.
ASKER
It appears to happen that way but not sure if it is related to the Hotel network the users are on.
Not knowing much about the concentrator i assumed it was a security thing on our end.
Not knowing much about the concentrator i assumed it was a security thing on our end.
We have a lot of trouble with Hotels. it's usually because of the Hotels' network infrastructure - using proxy servers, authentication, firewalls, etc. A lot of them block IPSEC. We're working on an SSL VPN because of all the hotel problems.
Where did you read that the VPN 3000 only supports ONE connection from each IP address ? Do you have NAT-T (Nat traversal) enabled in the configuration ? This behaviour strikes me as a little odd, although typical Cisco if this is indeed the case... ;)
ASKER
Problem is we have all our laptop users cicso client configured for IPSEC over UDP which when coming from same site does not allow the use of TCP ports for address translation at the concentrator.
ASKER
Anyone had any experience with the Cisco 3002 VPN hardware client? Looks like it might take care of this problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
is not relevant. However, you may need to adjust for the latency in the satellite network.
harbor235