|
Home > Archive > Voice over IP Cisco > February 2007 > semi OT: Remote user ASA Lan to LAN options
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
semi OT: Remote user ASA Lan to LAN options
|
|
| Voll, Scott 2007-02-06, 7:12 pm |
| So we just purchased a ASA5505 for a remote user to connect back to the
main site.
The idea was to do a LAN to LAN IPSEC tunnel. But since this is Comcast
(cable broadband) and they don't do static IP's I'm trying to figure out
how to go about this. My second thought is that since we will have a
SCCP IP phone behind it I can do a Dynamic VPN connection and since it's
SCCP then It will be sending keepalives to the CM the VPN connection
will stay up. Would this be correct?
Does anyone already do this? What are you doing?
Any other thoughts?
TIA
Scott
| |
| Voll, Scott 2007-02-06, 7:12 pm |
| Now my second question is...... is it better to terminate this user on a
VPN Concentrator or on a Pix OS 7.2 if I'm using Easy VPN?
Scott
________________________________
From: Craig M Staffin [mailto:cmstaffin@ra.rockwell.com]
Sent: Tuesday, February 06, 2007 11:24 AM
To: Voll, Scott
Cc: cisco-voip@puck.nether.net; cisco-voip-bounces@puck.nether.net
Subject: Re: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Scott,
I would use DMVPN as long as you have a static IP back at the main site.
Easy VPN would also work for a single remote user setup
This should do what you need to do.
Craig
"Voll, Scott" <Scott.Voll@wesd.org>
Sent by: cisco-voip-bounces@puck.nether.net
02/06/2007 01:19 PM
To
<cisco-voip@puck.nether.net>
cc
Subject
[cisco-voip] semi OT: Remote user ASA Lan to LAN options
So we just purchased a ASA5505 for a remote user to connect back to the
main site.
The idea was to do a LAN to LAN IPSEC tunnel. But since this is Comcast
(cable broadband) and they don't do static IP's I'm trying to figure out
how to go about this. My second thought is that since we will have a
SCCP IP phone behind it I can do a Dynamic VPN connection and since it's
SCCP then It will be sending keepalives to the CM the VPN connection
will stay up. Would this be correct?
Does anyone already do this? What are you doing?
Any other thoughts?
TIA
Scott___________________________________
____________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Voll, Scott 2007-02-06, 7:12 pm |
| As far as Voice is concerned is there any reason to go one way or the
other? IE> fixups
Scott
________________________________
From: Craig M Staffin [mailto:cmstaffin@ra.rockwell.com]
Sent: Tuesday, February 06, 2007 11:40 AM
To: Voll, Scott
Cc: cisco-voip@puck.nether.net
Subject: RE: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Depends on size
PiX last time I worked with them could only terminate a small number of
VPN clients somewhere under 50 if I remember right.
Whereas the Concentraters can do thousends of connections.
Craig
"Voll, Scott" <Scott.Voll@wesd.org>
02/06/2007 01:34 PM
To
"Craig M Staffin" <cmstaffin@ra.rockwell.com>
cc
<cisco-voip@puck.nether.net>
Subject
RE: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Now my second question is...... is it better to terminate this user on a
VPN Concentrator or on a Pix OS 7.2 if I'm using Easy VPN?
Scott
________________________________
From: Craig M Staffin [mailto:cmstaffin@ra.rockwell.com]
Sent: Tuesday, February 06, 2007 11:24 AM
To: Voll, Scott
Cc: cisco-voip@puck.nether.net; cisco-voip-bounces@puck.nether.net
Subject: Re: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Scott,
I would use DMVPN as long as you have a static IP back at the main site.
Easy VPN would also work for a single remote user setup
This should do what you need to do.
Craig
"Voll, Scott" <Scott.Voll@wesd.org>
Sent by: cisco-voip-bounces@puck.nether.net
02/06/2007 01:19 PM
To
<cisco-voip@puck.nether.net>
cc
Subject
[cisco-voip] semi OT: Remote user ASA Lan to LAN options
So we just purchased a ASA5505 for a remote user to connect back to the
main site.
The idea was to do a LAN to LAN IPSEC tunnel. But since this is Comcast
(cable broadband) and they don't do static IP's I'm trying to figure out
how to go about this. My second thought is that since we will have a
SCCP IP phone behind it I can do a Dynamic VPN connection and since it's
SCCP then It will be sending keepalives to the CM the VPN connection
will stay up. Would this be correct?
Does anyone already do this? What are you doing?
Any other thoughts?
TIA
Scott___________________________________
____________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Jason Aarons \(US\) 2007-02-06, 7:12 pm |
| Get a second public ip address and buy the Meteros (Cisco) SCCP Proxy!
Regular voice isn't encrypted today and easily listenable on PSTN with
any butt set. This way you don't have house callsabout IPSEC tunnel
problems and VPN3 design issues.
Keep It Simple and Stupid. I can't imagine how much a bunch of ASA-5505
would cost for every site with 7900 Phones, much along the TCO of having
IPSEC tunnels.
I saw a cool demoat VoiceCon last year from Avaya, handsets used public
ip addresses with SSL/https for call control/rtp over the Internet, they
claimed it was easier than CTLs.
For refence the TeleWorker SRND only supports the 8XX. Wonder if they
will update it for this new ASA?
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Voll, Scott
Sent: Tuesday, February 06, 2007 2:34 PM
To: Craig M Staffin
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Now my second question is...... is it better to terminatethis user on a
VPN Concentrator or on a Pix OS 7.2 if I'm using Easy VPN?
Scott
________________________________
From: Craig M Staffin [mailto:cmstaffin@ra.rockwell.com]
Sent: Tuesday, February 06, 2007 11:24 AM
To: Voll, Scott
Cc: cisco-voip@puck.nether.net; cisco-voip-bounces@puck.nether.net
Subject: Re: [cisco-voip] semi OT: Remote user ASA Lanto LAN options
Scott,
I would use DMVPN as long as you have a static IP back at the main site.
Easy VPN would also work for a single remote user setup
This should do what you need to do.
Craig
"Voll, Scott" <Scott.Voll@wesd.org>
Sent by: cisco-voip-bounces@puck.nether.net
02/06/2007 01:19 PM
To
<cisco-voip@puck.nether.net>
cc
Subject
[cisco-voip] semi OT: Remote user ASA Lan to LAN options
So we just purchased a ASA5505 for a remote user to connect back to the
main site.
The idea was to do a LAN to LAN IPSEC tunnel. But since this is Comcast
(cable broadband) and they don't do static IP's I'm trying to figure out
how to go about this. My secondthought is that since we will have a
SCCP IP phone behind it I can doa Dynamic VPN connection and since it's
SCCP then It will be sending keepalives to the CM the VPN connection
will stay up. Would this becorrect?
Does anyone already do this? What are you doing?
Any other thoughts?
TIA
Scott___________________________________
____________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-----------------------------------------
Disclaimer:
This e-mail communication and any attachments may contain
confidential and privileged information and isfor use by the
designated addressee(s) named above only. If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediatelyby replying to this message and deleting it
from your computer. Thank you.
| |
| Craig M Staffin 2007-02-06, 7:12 pm |
| Scott,
I would use DMVPN as long as you have a static IP back at the main site.
Easy VPN would also work for a single remote user setup
This should do what you need to do.
Craig
"Voll, Scott" <Scott.Voll@wesd.org>
Sent by: cisco-voip-bounces@puck.nether.net
02/06/2007 01:19 PM
To
<cisco-voip@puck.nether.net>
cc
Subject
[cisco-voip] semi OT: Remote user ASA Lan to LAN options
So we just purchased a ASA5505 for a remote user to connect back to the
main site.
The idea was to do a LAN to LAN IPSEC tunnel. But since this is Comcast
(cable broadband) and they don?t do static IP?s I?m trying to figure out
how to go about this. My second thought is that since we will have a SCCP
IP phone behind it I can do a Dynamic VPN connection and since it?s SCCP
then It will be sending keepalives to the CM the VPN connection will stay
up. Would this be correct?
Does anyone already do this? What are you doing?
Any other thoughts?
TIA
Scott___________________________________
____________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Craig M Staffin 2007-02-06, 7:12 pm |
| Depends on size
PiX last time I worked with them could only terminate a small number of
VPN clients somewhere under 50 if I remember right.
Whereas the Concentraters can do thousends of connections.
Craig
"Voll, Scott" <Scott.Voll@wesd.org>
02/06/2007 01:34 PM
To
"Craig M Staffin" <cmstaffin@ra.rockwell.com>
cc
<cisco-voip@puck.nether.net>
Subject
RE: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Now my second question is?? is it better to terminate this user on a VPN
Concentrator or on a Pix OS 7.2 if I?m using Easy VPN?
Scott
From: Craig M Staffin [mailto:cmstaffin@ra.rockwell.com]
Sent: Tuesday, February 06, 2007 11:24 AM
To: Voll, Scott
Cc: cisco-voip@puck.nether.net; cisco-voip-bounces@puck.nether.net
Subject: Re: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Scott,
I would use DMVPN as long as you have a static IP back at the main site.
Easy VPN would also work for a single remote user setup
This should do what you need to do.
Craig
"Voll, Scott" <Scott.Voll@wesd.org>
Sent by: cisco-voip-bounces@puck.nether.net
02/06/2007 01:19 PM
To
<cisco-voip@puck.nether.net>
cc
Subject
[cisco-voip] semi OT: Remote user ASA Lan to LAN options
So we just purchased a ASA5505 for a remote user to connect back to the
main site.
The idea was to do a LAN to LAN IPSEC tunnel. But since this is Comcast
(cable broadband) and they don?t do static IP?s I?m trying to figure out
how to go about this. My second thought is that since we will have a SCCP
IP phone behind it I can do a Dynamic VPN connection and since it?s SCCP
then It will be sending keepalives to the CM the VPN connection will stay
up. Would this be correct?
Does anyone already do this? What are you doing?
Any other thoughts?
TIA
Scott___________________________________
____________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Voll, Scott 2007-02-06, 7:12 pm |
| Since you're the one bring it up.... What can you tell us about the sccp
proxy? Is cisco selling it now?
________________________________
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Jason Aarons
(US)
Sent: Tuesday, February 06, 2007 11:46 AM
To: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Get a second public ip address and buy the Meteros (Cisco) SCCP Proxy!
Regular voice isn't encrypted today and easily listenable on PSTN with
any butt set. This way you don't have house calls about IPSEC tunnel
problems and VPN3 design issues.
Keep It Simple and Stupid. I can't imagine how much a bunch of ASA-5505
would cost for every site with 7900 Phones, much along the TCO of having
IPSEC tunnels.
I saw a cool demo at VoiceCon last year from Avaya, handsets used public
ip addresses with SSL/https for call control/rtp over the Internet, they
claimed it was easier than CTLs.
For refence the TeleWorker SRND only supports the 8XX. Wonder if they
will update it for this new ASA?
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Voll, Scott
Sent: Tuesday, February 06, 2007 2:34 PM
To: Craig M Staffin
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Now my second question is...... is it better to terminate this user on a
VPN Concentrator or on a Pix OS 7.2 if I'm using Easy VPN?
Scott
________________________________
From: Craig M Staffin [mailto:cmstaffin@ra.rockwell.com]
Sent: Tuesday, February 06, 2007 11:24 AM
To: Voll, Scott
Cc: cisco-voip@puck.nether.net; cisco-voip-bounces@puck.nether.net
Subject: Re: [cisco-voip] semi OT: Remote user ASA Lan to LAN options
Scott,
I would use DMVPN as long as you have a static IP back at the main site.
Easy VPN would also work for a single remote user setup
This should do what you need to do.
Craig
"Voll, Scott" <Scott.Voll@wesd.org>
Sent by: cisco-voip-bounces@puck.nether.net
02/06/2007 01:19 PM
To
<cisco-voip@puck.nether.net>
cc
Subject
[cisco-voip] semi OT: Remote user ASA Lan to LAN options
So we just purchased a ASA5505 for a remote user to connect back to the
main site.
The idea was to do a LAN to LAN IPSEC tunnel. But since this is Comcast
(cable broadband) and they don't do static IP's I'm trying to figure out
how to go about this. My second thought is that since we will have a
SCCP IP phone behind it I can do a Dynamic VPN connection and since it's
SCCP then It will be sending keepalives to the CM the VPN connection
will stay up. Would this be correct?
Does anyone already do this? What are you doing?
Any other thoughts?
TIA
Scott___________________________________
____________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
________________________________
Disclaimer: This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the designated
addressee(s) named above only. If you are not the intended addressee,
you are hereby notified that you have received this communication in
error and that any use or reproduction of this email or its contents is
strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to this
message and deleting it from your computer. Thank you.
| |
| Brett Looney 2007-02-08, 1:11 am |
| > The idea was to do a LAN to LAN IPSEC tunnel. But since this is
> Comcast (cable broadband) and they don't do static IP's I'm trying
> to figure out how to go about this.
I've done LAN to LAN IPSEC tunnels in the past where one end is on a dynamic
IP address. Works well... Two small issues - you can't establish the tunnel
from the static end (because it doesn't know the IP address of the remote
end) and you have to set a wildcard IP address for the remote end, so
slightly less secure (but choose a very strong pre-shared key!).
HTH!
B.
|
|
|
|
|