We need to creat a site-to-site ipsec vpn tunnel but the other side does not have a static IP address, they are asking of us to point to a fully qualified domain name... does the ASA accept a domain name as a peer as opposed to an IP address?
Hi Ronni,
The ASA cannot initiate a VPN tunnel to a dynamic DNS hostname (remote FQDN). It can only initiate to a hostname defined by the 'name' command.
Keep me posted.
Portu
Please rate any helpful post.
The IOS-router is capable to work the way you want, but as Javier told you, the ASA can not.
If it is ok that only the other side initiates the connection, then you can configure the ASA to accept a VPNs from any IP. But before going further in finding a solution I would ask the other administrator why there is no fixed IP. If you want a really reliable VPN, you really should have fixed IPs on both sides.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Hi Ronni,
Just adding more information about the tunnels mentioned above:
ASA:
IOS:
"match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain
domain-name | user user-fqdn | user domain domain-name}"
crypto isakmp profile vpnprofile
match identity group vpngroup
match identity address 10.53.11.1
match identity host domain vpn.com
match identity host server.vpn.com
Thanks.
Message was edited by: Javier Portuguez