Another option would be to install VPN hardware at every remote office and set up a site-to-site VPN that connects those 7 remote offices to your main office. Each host would not need its own VPN client software or user credentials, because all clients at each remote office would share the 7 tunnels between remote and main VPN gateways. This makes more sense if you want to let EVERYONE at each remote office have the SAME access to your main office network. However, if you want to permit only a few clients, or need to vary permission for individual users, then a remote access VPN is more appropriate.
For a remote access VPN with the hardware that you describe, each remote office will require Internet access. NAT Traversal in your Cisco 1760 and VPN Client software will let IPsec traffic be forwarded through remote office router/firewalls, no matter what they might be. However, the router/firewall at every remote office must be configured to permit bi-directional traffic on ports used by your VPN.
You will need to work with each remote office to install appropriately-configured Cisco VPN Client software on every remote host, to identify the username/password for each authorized user, and to train users about how and when to launch VPN clients.
On your Cisco 1760, you will probably decide to use Extended Authentication (XAUTH) and a policy that defines a preshared secret used by everyone in that group. You can authenticate users locally or use an ACS server for user authentication. To learn more about Cisco IOS IPsec configuration, see this Cisco white paper on IPsec deployment, particularly the section on "Cisco Easy VPN."
I am not sure from your description whether all 7 "group companies" should have access to the same resources at your main office, and whether those companies can access each other's networks using Frame Relay as a "hub and spoke" private network. You'll want to consider these questions when designing your VPN policies so that you can configure filters to enforce per-company restrictions.
This was first published in August 2004