08-05-2012 10:46 AM - edited 02-21-2020 06:15 PM
Hi All,
BACKGROUND
We have set up a site to site IPSEC VPN between a Pix 515E running 8.0 (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and ASDM on the pix to build the initial tunnels. Now the site with the router is changing to a Dynamic IP address from the ISP so we have set up Dynamic DNS to update the dynamic IP address.
PROBLEM
The problem we have is that ASDM will not allow us to set a domain as the peer address, it will only accept an IP address. We think the solution will be to remove the static Crypto Map and replace with a Dynamic Crypto map on the Pix side. Our questions are simply; is this the best solution? can we edit the original static list or is it better to delete and make a new dynamic crypto map? Is there a short cut to change the config in command line? This is a live network so just want to check before we make changes on live kit.
Any help greatly appreciated.
Solved! Go to Solution.
08-06-2012 03:35 AM
You don't have to change anything when the peer-address changes. The purpose of the dynamic crypto-map is to take connections from dynamic peers. The only thing to remember is, that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared-Keys as now you have to use a wildcard-PSK.
As far as I remember, the PIX/ASA doesn't support the usage of FQDNs for dynamic peer-resolution. In IOS this feature is supported.
For functionality, it would be best to get back to static IP-addresses on both sides.
08-05-2012 11:26 PM
You can't delete the static crypto map and replace it with a dynamic one. The dynamic crypto-maps are included into the static crypto-maps and the static crypto map stays on the interface. That should look like that:
crypto dynamic-map dynmap 10 set transform-set esp-aes256-sha
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpn-map 1 match address CRYPTO-PEER1
crypto map vpn-map 1 annotation Connection to Peer 1
crypto map vpn-map 1 set peer 1.2.3.4
crypto map vpn-map 1 set transform-set esp-aes256-sha
crypto map vpn-map 1 set reverse-route
crypto map vpn-map 65000 ipsec-isakmp dynamic dynmap
crypto map vpn-map interface outside
If you only have the one denymic connection, then skip everything with the sequence "1".
Another possibility is to configure the 1841 as an EasyVPN-remote and the PIX as a EasyVPN-Server but the above solution should be easier to implement.
08-06-2012 03:23 AM
Hi
Thanks for response.
The VPN is working fine but the problem is we want to set the peer address on the pix to a domain name to avoid reconfiguration every time the IP address changes with the ISP. If we do an nslookup it resolves correctly.
When we enter ".... set peer any.domain.net" we get "can not interperet ip address" in ASDM and in CLI it will not work either.
Any ideas ?
Thanks.
08-06-2012 03:35 AM
You don't have to change anything when the peer-address changes. The purpose of the dynamic crypto-map is to take connections from dynamic peers. The only thing to remember is, that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared-Keys as now you have to use a wildcard-PSK.
As far as I remember, the PIX/ASA doesn't support the usage of FQDNs for dynamic peer-resolution. In IOS this feature is supported.
For functionality, it would be best to get back to static IP-addresses on both sides.
08-07-2012 10:42 AM
Thanks for your help. As you say the FQDNs is not supported on the pix/asa so we will configure a dynamic VPN instead. It is rare that we would use a dynamic IP address we normally use statics and I have only ever used static addresses at both ends.
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide