cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
14214
Views
0
Helpful
3
Replies
network770
Beginner

VPN using FQDN

We need to creat a site-to-site ipsec vpn tunnel but the other side does not have a static IP address, they are asking of us to point to a fully qualified domain name... does the ASA accept a domain name as a peer as opposed to an IP address?

3 REPLIES 3

Hi Ronni,

The ASA cannot initiate a VPN tunnel to a dynamic DNS hostname (remote FQDN). It can only initiate to a hostname defined by the 'name' command.

Keep me posted.

Portu

Please rate any helpful post.

Karsten Iwen
VIP Mentor

The IOS-router is capable to work the way you want, but as Javier told you, the ASA can not.

If it is ok that only the other side initiates the connection, then you can configure the ASA to accept a VPNs from any IP. But before going further in finding a solution I would ask the other administrator why there is no fixed IP. If you want a really reliable VPN, you really should have fixed IPs on both sides.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Ronni,

Just adding more information about the tunnels mentioned above:

ASA:

Dynamic IPsec Tunnel Between a Statically Addressed ASA and a Dynamically Addressed Cisco IOS Router that uses CCP Configuration Example

IOS:

ISAKMP Profile Overview

"match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain

domain-name | user user-fqdn | user domain domain-name}"

crypto isakmp profile vpnprofile

  match identity group vpngroup

  match identity address 10.53.11.1

  match identity host domain vpn.com

  match identity host server.vpn.com

Thanks.

Message was edited by: Javier Portuguez

Create
Recognize Your Peers
Content for Community-Ad