Oops. Ignore that previous blank post.

I have a (cheap) client who has ADSL at his home office. He wants to put
something like a PIX 501 behind the DSL modem and be able to get to it via
VPN from abroad. Since he's getting dynamic IP addresses, he wants to use
some service like dyndns.org so he can get the current address converted to
a DNS-like name.

Anyway, I've never even considered doing such a thing until now and have no
idea if it will work. I don't have a PIX to play with right now (I need
richer clients) so I'm having to figure this out the hard way.

Can it be done (VPN into a PIX with a dynamic IP address that's running
PPPOE)?

In article <GsTyb.11462$5d.10405@bignews4.bellsouth.net>,
Darron Findlay <dcfindlay@nojunk_hotmail.com> wrote:
:I have a (cheap) client who has ADSL at his home office. He wants to put
:something like a PIX 501 behind the DSL modem and be able to get to it via
:VPN from abroad. Since he's getting dynamic IP addresses, he wants to use
:some service like dyndns.org so he can get the current address converted to
:a DNS-like name.

:Can it be done (VPN into a PIX with a dynamic IP address that's running
:PPPOE)?

In theory, yes.

Normally, the IPSec setup for a PIX with a dynamic address is the
same as for a regular PIX -- plain 'crypto map' and with
a 'set peer' clause pointing to it's fixed-IP kin. And normally
the PIX receiving the call has 'crypto dynamic-map'. You can't
normally have a PIX-to-PIX VPN in which both ends are dynamic
because *one* end needs a 'set peer' nominating a fixed IP.

But the constraint that requires 'set peer' does not apply for
the VPN client setup. So you can just go ahead and configure
the PIX 501 as an Easy VPN Server (using PDM perhaps), or
manually with a 'crypto dynamic map' and vpdn-group etc.. THe VPN
client just has to find the outside address -somehow- and
negotiation takes care of the rest.
--
*We* are now the times. -- Wim Wenders (WoD)