Avatar of awilner
awilner

asked on 

PIX-2-PIX, VPN to Dynamic DNS

Hello,
I am not sure if I am missing something simple. I have a PIX that is sitting on the dynamic IP DSL and the client behind the PIX updates the IP of the dynamic DNS host, everytime it changes. I can also VPN to it using cisco client. Pretty standard and works well. However now I am trying to build a permanent connection between this pix and a PIX525 on my network.
As I found out I cannot use:
access-list 101permit ip host 172.18.1.100 host something.dnsalias.net
or
crypto map newmap 200 set peer something.dnsalias.net
Is there a way to build this configuration? I looked through the existing answers on EE and couldn't find it. Any help would be greatly appretiated.
Software FirewallsCisco

Avatar of undefined
Last Comment
awilner
Avatar of batry_boy
batry_boy
Flag of United States of America image

Check out the following Cisco example of how to do something like this:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

It also shows using the VPN client to connect to the central site PIX, but you can ignore this part for your scenario...
Avatar of awilner
awilner

ASKER

Thank you  (Sorry, I just noticed that I put incorrect access-list in my email; Obviously my only consern is the peer for the crypto map and isakmp policy)
I looked at the example, and I am a little confused; so since It is not known what IP address is going to be, needs to accept connections from anywhere as long as the pre-shared key matches? Does that mean that all I have to do is to: create another dynamic map ...
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
?
Here is a fragment of the current config:
...
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ttset esp-aes esp-sha-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 10 set transform-set vpnset
crypto dynamic-map outside_dyn_map 20 set transform-set vpnset
crypto dynamic-map outside_dyn_map 30 set transform-set vpnset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 102
crypto map newmap 10 set peer 66.1.1.1
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 103
crypto map newmap 20 set peer 66.1.1.2
crypto map newmap 20 set transform-set myset
...
crypto map newmap 190 ipsec-isakmp
crypto map newmap 190 match address cubicfmmpix
crypto map newmap 190 set peer 149.1.1.1
crypto map newmap 190 set transform-set ttset
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap client authentication LOCAL
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 66.1.1.1 netmask 255.255.255.255
isakmp key ******** address 66.1.1.2 netmask 255.255.255.255
...
isakmp key ******** address 149.1.1.1 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
Thanks.
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of awilner
awilner

ASKER

I was finally able to test it today; after some tuning I got it working. Thank you very much.
Cisco
Cisco

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo