Re: How to set the peer with hostname in PIX 6.3

chrishudson · ‎10-26-2004

I am trying to configure VPN through domain name instead of ip address in PIX.The command reference shows you can usae hostname or ip address at "crypto map outside_map 10 set peer " command .But while I am typing hostname after set peer PIX is not accepting.Pleas help me to fix this

Chris

Patrick Iseli · ‎10-26-2004

I have never tryed this with a FQDN but check this commands on the 6.3 command reference

isakmp identity {address | hostname | [key-id key_id_string]}

isakmp peer fqdn fqdn no-xauth no-config-mode

See:

Command Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

Configuration examples:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

sincerely

Patrick

prasadrp · ‎10-26-2004

You are right about the option of Hostname in crypto map command, but it cannot be resolved through DNS. You need to create a name entry in pix mapping the IP to name with the name command. Then crypto map can have the hostname created through name command

So you can have statement as follows

names

name 192.168.1.10 mypeer

crypto map outside_map 10 set peer mypeer

chrishudson · ‎10-26-2004

Hi prasad

yes I tried ,but PIX is showing syntax error ie you can type only ip address after set peer.Actually I am trying to establish VPN by DDNS,so I cannot declare names,but I can configure name servers

Chris

prasadrp · ‎10-26-2004

PIX will not do a DNS request for a name found in the configuration. The only possible way in Pix is through use of name command. In your scenario, this feature is of no use. Pix, being a security device, doesnt have this feature since it can result in packets delays and more important prone to DNS spoofing/poisoning.

chrishudson · ‎10-28-2004

Hi prasad

Then my questionis why we are using "name server" command in PIX

chrishudson · ‎10-28-2004

Hi prasad

Then my questionis why we are using "name server" command in PIX

prasadrp · ‎10-29-2004

name ipaddress name

is just to make your configuration more user friendly and readable. Names feature will replace the relevant IPAddress with names in configuration which you have mentioned locally.

chrishudson · ‎10-29-2004

Hi Prasad

I am not saying aout the command " name xx.xx.xx.xx"

There's another command that's "name server xx.xx.xx.xx".It's for specifying DNS server address

Chris

prasadrp · ‎10-29-2004

I dont think there is a command "name server XX.XX.XX.XX" on Pix. Any command beginning with name/names is related to the name feature discussed earlier.

chrishudson · ‎10-29-2004

hi prasad

sorry that command is in router .Thank you

Chris