awilner
asked on
PIX-2-PIX, VPN to Dynamic DNS
Hello,
I am not sure if I am missing something simple. I have a PIX that is sitting on the dynamic IP DSL and the client behind the PIX updates the IP of the dynamic DNS host, everytime it changes. I can also VPN to it using cisco client. Pretty standard and works well. However now I am trying to build a permanent connection between this pix and a PIX525 on my network.
As I found out I cannot use:
access-list 101permit ip host 172.18.1.100 host something.dnsalias.net
or
crypto map newmap 200 set peer something.dnsalias.net
Is there a way to build this configuration? I looked through the existing answers on EE and couldn't find it. Any help would be greatly appretiated.
I am not sure if I am missing something simple. I have a PIX that is sitting on the dynamic IP DSL and the client behind the PIX updates the IP of the dynamic DNS host, everytime it changes. I can also VPN to it using cisco client. Pretty standard and works well. However now I am trying to build a permanent connection between this pix and a PIX525 on my network.
As I found out I cannot use:
access-list 101permit ip host 172.18.1.100 host something.dnsalias.net
or
crypto map newmap 200 set peer something.dnsalias.net
Is there a way to build this configuration? I looked through the existing answers on EE and couldn't find it. Any help would be greatly appretiated.
Last Comment
ASKER
Thank you (Sorry, I just noticed that I put incorrect access-list in my email; Obviously my only consern is the peer for the crypto map and isakmp policy)
I looked at the example, and I am a little confused; so since It is not known what IP address is going to be, needs to accept connections from anywhere as long as the pre-shared key matches? Does that mean that all I have to do is to: create another dynamic map ...
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
?
Here is a fragment of the current config:
...
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ttset esp-aes esp-sha-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 10 set transform-set vpnset
crypto dynamic-map outside_dyn_map 20 set transform-set vpnset
crypto dynamic-map outside_dyn_map 30 set transform-set vpnset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 102
crypto map newmap 10 set peer 66.1.1.1
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 103
crypto map newmap 20 set peer 66.1.1.2
crypto map newmap 20 set transform-set myset
...
crypto map newmap 190 ipsec-isakmp
crypto map newmap 190 match address cubicfmmpix
crypto map newmap 190 set peer 149.1.1.1
crypto map newmap 190 set transform-set ttset
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap client authentication LOCAL
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 66.1.1.1 netmask 255.255.255.255
isakmp key ******** address 66.1.1.2 netmask 255.255.255.255
...
isakmp key ******** address 149.1.1.1 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
Thanks.
I looked at the example, and I am a little confused; so since It is not known what IP address is going to be, needs to accept connections from anywhere as long as the pre-shared key matches? Does that mean that all I have to do is to: create another dynamic map ...
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
?
Here is a fragment of the current config:
...
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ttset esp-aes esp-sha-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 10 set transform-set vpnset
crypto dynamic-map outside_dyn_map 20 set transform-set vpnset
crypto dynamic-map outside_dyn_map 30 set transform-set vpnset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 102
crypto map newmap 10 set peer 66.1.1.1
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 103
crypto map newmap 20 set peer 66.1.1.2
crypto map newmap 20 set transform-set myset
...
crypto map newmap 190 ipsec-isakmp
crypto map newmap 190 match address cubicfmmpix
crypto map newmap 190 set peer 149.1.1.1
crypto map newmap 190 set transform-set ttset
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap client authentication LOCAL
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 66.1.1.1 netmask 255.255.255.255
isakmp key ******** address 66.1.1.2 netmask 255.255.255.255
...
isakmp key ******** address 149.1.1.1 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
Thanks.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I was finally able to test it today; after some tuning I got it working. Thank you very much.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
It also shows using the VPN client to connect to the central site PIX, but you can ignore this part for your scenario...