Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
0
Helpful
8
Replies

Site to Site VPN with DDNS on remote FW

NMBowser
Level 1
Level 1

‎11-02-2020 09:02 AM

I have two sites right now: local site has an ASA 5505 and remote site has a Dray-Tek vigor 2133 series router with a ddns from dnsalias configured on it. My question is: Is it possible to configure our ASA to build a S2S tunnel using the Draytek's DDNS? I built a tunnel using ASDM but that does not allow a host name, only IP. The tunnel is currently build using the IP of the Draytek but the Ip on the DT side is changine more and more frequently. Any help would be greatly appreciated.

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎11-02-2020 09:10 AM

Never used Drayek VPN with ASA ( Draytek used for FW)

 

is ASA has static IP and Dreytek has Dynamic IP - not sure what option you use in draytek

 

check example :

 

https://blog.danmassey.net/cisco-asa-site-to-site-vpn-with-dynamic-ip-addresses/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

NMBowser
Level 1
Level 1
In response to balaji.bandi

‎11-02-2020 09:34 AM

The draytek has a ddns configured and the ASA has a static IP. I want to try to construct the tunnel using the DDNS so the Draytek side doesnt have to get a static IP. The Draytek side is working fine, I just can not find an option on the ASA side to build the tunnel using a ddns name rather than just an IP.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-02-2020 10:04 AM

Why not Draytek initiate the Tunnel all time, since ASA has static IP. Like any EZY VPN style ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

NMBowser
Level 1
Level 1
In response to balaji.bandi

‎11-11-2020 09:00 AM

I would like to do this, but how would I configure the ASA to allow that?

0 Helpful

Karsten Iwen
VIP
VIP

‎11-02-2020 10:53 AM

In contrast to the IOS-router, there is no dynamic peer name resolution on the ASA for VPNs. As already mentioned, let the spoke initiate the connection and the ASA respond. Keep in mind that using wildcard PSKs is not a best practice and should be avoided. Using digital certificates is the way to go in this scenario.

0 Helpful

NMBowser
Level 1
Level 1
In response to Karsten Iwen

‎11-06-2020 10:38 AM

Sorry for the n00b question, but how would I do that on the ASA side?

0 Helpful

MHM Cisco World
VIP
VIP

‎11-02-2020 02:56 PM

ASA-Draytek

under the ASA config dynamic map,

dynamic map don't need ip of other peer "other side of tunnel"

NOTE:-this config make only Draytek initiate traffic, ASA can not initiate the traffic.

0 Helpful

MHM Cisco World
VIP
VIP

‎11-02-2020 05:28 PM

ASA-Draytek

Other solution if this available in draytek , yes VTI in asa and use hostname as tunnel destination.

check this solution.

0 Helpful
Customers Also Viewed These Support Documents