09-24-2012 06:52 PM
We need to creat a site-to-site ipsec vpn tunnel but the other side does not have a static IP address, they are asking of us to point to a fully qualified domain name... does the ASA accept a domain name as a peer as opposed to an IP address?
09-24-2012 10:09 PM
Hi Ronni,
The ASA cannot initiate a VPN tunnel to a dynamic DNS hostname (remote FQDN). It can only initiate to a hostname defined by the 'name' command.
Keep me posted.
Portu
Please rate any helpful post.
09-25-2012 12:46 AM
The IOS-router is capable to work the way you want, but as Javier told you, the ASA can not.
If it is ok that only the other side initiates the connection, then you can configure the ASA to accept a VPNs from any IP. But before going further in finding a solution I would ask the other administrator why there is no fixed IP. If you want a really reliable VPN, you really should have fixed IPs on both sides.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-25-2012 06:14 AM
Hi Ronni,
Just adding more information about the tunnels mentioned above:
ASA:
IOS:
"match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain
domain-name | user user-fqdn | user domain domain-name}"
crypto isakmp profile vpnprofile
match identity group vpngroup
match identity address 10.53.11.1
match identity host domain vpn.com
match identity host server.vpn.com
Thanks.
Message was edited by: Javier Portuguez
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide