Is there any way to configure domain name in place of IP address for "Peer VPN device"

mahenkpatel · ‎03-13-2013

Hi,

When I configure site to site vpn on asa it asks for the ip address for the remote vpn device and it works pretty fine if I confgure like this.

The problem is that the remote vpn device does not have static IP address, it changes on every reboot. I have configured Dymamic DNS for the interface but the problem is ASA does not take domain name as the "peer vpn device" address.

Is there any work around for this issue so that I don't need to configure vpn from scratch everytime the ip address of the remote device changes.

P.S. ASA vpn configuaration also does not allow me to change just the ip address of the remote device in the VPN configuration, I have to delete the current vpn and confgure a new one from the sratch everytime the ip address changes.

Thanks

oamarneh · ‎03-13-2013

Hello Mahendra,

yes you can set a hostname in the 'crypto map set peer' command insetad of IP address, however, the ASA will resolve that name only once it is applied, hence, it will take the IP that name currently holds, and if it changes, it will not update it.

the easy solution for your case is to use static-to-dynamic L2L configuration. on your ASA, configure a dynamic crypto map, assign it to the static crypto map you have, and then add the pre-shared key to the Default L2L tunnel-group.

an example is given below:

crypto dynamic-map dyn_map set transform-set

crypto map VPN ipsec-isakmp dynamic dyn_map

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key

this way, you must initiate the tunnel from behind the remote device (not your ASA where the dynamic crypto map is configured) and it should work fine.

the document below explains that in details:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

hope that help

Othman