Solved: VPN group using names

peter.williams · ‎02-05-2011

I would like to use DNS names in the group name, but are unable to, does somebody have a way of use DNS name in the group name in L2L tunnels on a ASA.

Thank you for your help

Sent from Cisco Technical Support iPhone App

m.kafka · ‎02-06-2011

Resolving the ip address via dns of a statically configured fqdn of an IPsec identity should be no problem.

I've never done exactly that, In such cases I used a quick and dirty "ip host" entry respecively a "name" on the ASA, I have more trust in the config than in an axternal dns server.

For your dynamically adressed 2811s you will quite surely need "Eazy VPN Remote".

Rgds, MiKa

View solution in original post

Shilpa Gupta · ‎02-05-2011

Hi,

I understand you are configuring your ASA for site to site IPSec. You want to know if you can use the fully qualified domain name (FQDN) instead of the IP address for the crypto map set peer command.

You can use the following:-

crypto map outside_map 40 set peer hostname.domain.com

Please make sure you have this command as well:
crypto isakmp identity hostname

In the tunnel-group, use the hostname.domain.name as well instead of the IP address:

tunnel-group hostname.domain.name type ipsec-l2l

I hope it helps.

Thanks,

Shilpa

peter.williams · ‎02-06-2011

Will the hostname be resolved by DNS then?

What I have is VPN tunnels to routers from the ASA that does not have static ip addresses , so I will need the hostnames on the ASA the look at DNS when the ip address changes on the remote routers.

Thank you for your help

Sent from Cisco Technical Support iPhone App

m.kafka · ‎02-06-2011

Hi Peter,

dynamic resolving of domain names at runtime is typically not supported (at least not for the majority of configurations)

what typically will happen is that any fqdn entered in the config (where permitted and interpreted by config as a fqdn) will be translated at the time of the configuration to an ip address.

if you want to establish tunnels from routers with dynamic IP addresses to a statically configured ASA the standard approach and recommended configuration is to use "eazy VPN remote" on the router and "eazy VPN server" on the ASA (also known as hardware client or similar).

In that case the ASA cannot establish a tunnel to routers with dynamic IP addresses, the routers will have to establish the tunnel.

I hope you can find the eazy VPN configuration samples on cisco.com, if not, I will be happy to assist in searching (using a search engine)

Best regards,

MiKa

PS [addendum]: The IPsec identity and therefore the tunnel-group name will be the eazy VPN group name instead of IP address or fqdn. If the ISAKMP authenication method is "pre shared" (or "group password") the IKE/ISAKMP will use aggressive mode for phase one. If rsa-sig is used on IKE/ISAKMP the main mode can be used for phase one. (It's quite different for IKEv2 - but I assume you have the traditional config with "crypto isakmp policy" etc...)

peter.williams · ‎02-06-2011

Will I be able to use dns resolve in a statically ip router at the main site?

Sent from Cisco Technical Support iPhone App

m.kafka · ‎02-06-2011

Resolving the ip address via dns of a statically configured fqdn of an IPsec identity should be no problem.

I've never done exactly that, In such cases I used a quick and dirty "ip host" entry respecively a "name" on the ASA, I have more trust in the config than in an axternal dns server.

For your dynamically adressed 2811s you will quite surely need "Eazy VPN Remote".

Rgds, MiKa