 |
11-20-2008, 10:37 PM
|
|
Junior Member
|
|
Join Date: Jul 2008
Posts: 5
|
|
IPSEC PIX Dynamic to ASG425 Static?
Has anyone done this successfully? If so I was wondering if someone could share with me their PIX config so I can see what I'm doing wrong. On the one end I have pix501 running 6.3. On the other end I have the Astaro425 running v7.304. I've connected other devices to the astaro using dynDns, and several with static IPs.
If you can help me out with this to show my appreciation I'll send you a functioning PIX501 for free (if you live in the continental US) I know it isn't a whole lot, but the technical help would be really appreciated.
Thanks much in advance!
|
11-21-2008, 03:56 PM
|
|
Junior Member
|
|
Join Date: Jul 2008
Posts: 5
|
|
DYNAMIC Pix to STATIC ASG?
I appreciate the link Patrick, but the difference is the PIX has a dynamic address. I've read umpteen articles showing how to connect various static endpoints. I've also taken the same pix and successfully created an ipsec tunnel no problem using static ip on both ends.
I've searched the knowledgebase for days and am getting a little frustrated because there is nothing that explains how a pix getting it's host address via DHCP can be setup to dynamically connect to the ASG. The ASG is properly configured based on everything I've read.
I would be indebted if if anyone was able to provide additional insight. Plus, I'll send you TWO functioning pixes for your time (continental US only) if you can help me get this working. My company recently migrated from a pix network to an MPLS (so we have LOTS of pix 501s).
Thanks again for your help.
|
11-21-2008, 04:04 PM
|
 |
Moderator
|
|
Join Date: Mar 2007
Location: Oklahoma City
Posts: 3,010
|
|
The Astaro can only be configured with a single PSK for working with non-static endpoints. If you have already configured 'IPSec' or 'L2TP over IPSec' in 'Remote Access', then you cannot use a different PSK for the 'Site-to-Site' connection.
If you've been enterring a different PSK when you configure Site-to-Site, the Astaro has ignored that.
Is that the issue?
Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
|
11-21-2008, 07:50 PM
|
|
Junior Member
|
|
Join Date: Jul 2008
Posts: 5
|
|
PSKs with Dynamic Endpoints
Thanks for the reply Bob,
I did have another dynamic endpoint tunnel configured on the ASG. I recreated the PIX gateway definition with the same PSK and reconfigured the actual pix with that PSK. Unfortunately no dice. )-:
I really think that this is more of a pix thing....which is not my forte. I can do a static connection with a PIX to anything, but the dynamic portion is the big mystery.
Any ideas? I've attached a word doc in case someone in the know can take a look at the vpn settings for both devices.
Thanks again very much!
-billy
|
11-21-2008, 08:57 PM
|
|
Moderator
|
|
Join Date: Mar 2007
Location: Oklahoma City
Posts: 3,010
|
|
Have you tried 'Strict routing' in the Astaro?
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Last edited by BAlfson; 11-21-2008 at 09:57 PM.
|
11-21-2008, 09:04 PM
|
|
Junior Member
|
|
Join Date: Jul 2008
Posts: 5
|
|
I just tried 'Strict Routing" and no dice. )-:
Thanks,
-billy
|
11-21-2008, 09:57 PM
|
|
Moderator
|
|
Join Date: Mar 2007
Location: Oklahoma City
Posts: 3,010
|
|
In the Pix, do you need to change "crypto map mymap client configuration address initiate" to "... respond" or just add an identical line with "respond" instead of "initiate"?
Sorry I'm so ignorant on the Pix. Barry or Scott would be able to nail this immediately.
Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
|
11-24-2008, 07:56 PM
|
|
Moderator
|
|
Join Date: Mar 2007
Location: Oklahoma City
Posts: 3,010
|
|
One of the real gurus responded to me about this with the comment that he has never done a Site-to-Site IPSec VPN; he requires his clients to spend a few extra dollars a month for fixed IPs. It's a tough crowd!
He's right; if there's a need for a Site-to-Site VPN, there should be a few dollars available each month to pay for a fixed IP. If there isn't such a need, then maybe the right answer is for individual users to configure 'Remote Access', have the users connect individually with their PCs and to liquidate those old Pixes!
Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
|
12-01-2008, 06:28 PM
|
|
Junior Member
|
|
Join Date: Jul 2008
Posts: 5
|
|
IPSEC dynamic PIX 501 to Static ASG425
Agreed, it would definitely make more sense to get static IPs for these types of connections. The problem is that for some locations static is simply not offered. Not only that, but the freedom to be able to plug in a cheap firewall (that we already own) that establishes an IPSEC connection instantly supports our DR strategy and provides us with alot of flexibility.
I think I've nailed the issue down to how the astaro treats remote gateway ipsec connection requests. The pixes use dynamic crypto maps, while the Astaro uses the configuration of the remote gateway (set to "respond"). Therein somewhere lies the answer, but I need to find the elusive engineer that has actually made this happen successfully. I just find it hard to believe that this can be done easily with 7 year old technology, but not with the newer Astaro.
As always, any ideas would be greatly appreciated....and I'm upping the offer to send 3 pix 501s with 50 ip user licenses to whoever can figure this out (continental US only). (-: Can you tell I'm desperate???
Thanks much,
-billy
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 11:22 PM.
| |  |
