awilner
asked on
PIX-2-PIX, VPN to Dynamic DNS
Hello,
I am not sure if I am missing something simple. I have a PIX that is sitting on the dynamic IP DSL and the client behind the PIX updates the IP of the dynamic DNS host, everytime it changes. I can also VPN to it using cisco client. Pretty standard and works well. However now I am trying to build a permanent connection between this pix and a PIX525 on my network.
As I found out I cannot use:
access-list 101permit ip host 172.18.1.100 host something.dnsalias.net
or
crypto map newmap 200 set peer something.dnsalias.net
Is there a way to build this configuration? I looked through the existing answers on EE and couldn't find it. Any help would be greatly appretiated.
I am not sure if I am missing something simple. I have a PIX that is sitting on the dynamic IP DSL and the client behind the PIX updates the IP of the dynamic DNS host, everytime it changes. I can also VPN to it using cisco client. Pretty standard and works well. However now I am trying to build a permanent connection between this pix and a PIX525 on my network.
As I found out I cannot use:
access-list 101permit ip host 172.18.1.100 host something.dnsalias.net
or
crypto map newmap 200 set peer something.dnsalias.net
Is there a way to build this configuration? I looked through the existing answers on EE and couldn't find it. Any help would be greatly appretiated.
ASKER
Thank you (Sorry, I just noticed that I put incorrect access-list in my email; Obviously my only consern is the peer for the crypto map and isakmp policy)
I looked at the example, and I am a little confused; so since It is not known what IP address is going to be, needs to accept connections from anywhere as long as the pre-shared key matches? Does that mean that all I have to do is to: create another dynamic map ...
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
?
Here is a fragment of the current config:
...
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ttset esp-aes esp-sha-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 10 set transform-set vpnset
crypto dynamic-map outside_dyn_map 20 set transform-set vpnset
crypto dynamic-map outside_dyn_map 30 set transform-set vpnset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 102
crypto map newmap 10 set peer 66.1.1.1
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 103
crypto map newmap 20 set peer 66.1.1.2
crypto map newmap 20 set transform-set myset
...
crypto map newmap 190 ipsec-isakmp
crypto map newmap 190 match address cubicfmmpix
crypto map newmap 190 set peer 149.1.1.1
crypto map newmap 190 set transform-set ttset
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap client authentication LOCAL
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 66.1.1.1 netmask 255.255.255.255
isakmp key ******** address 66.1.1.2 netmask 255.255.255.255
...
isakmp key ******** address 149.1.1.1 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
Thanks.
I looked at the example, and I am a little confused; so since It is not known what IP address is going to be, needs to accept connections from anywhere as long as the pre-shared key matches? Does that mean that all I have to do is to: create another dynamic map ...
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
?
Here is a fragment of the current config:
...
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ttset esp-aes esp-sha-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 10 set transform-set vpnset
crypto dynamic-map outside_dyn_map 20 set transform-set vpnset
crypto dynamic-map outside_dyn_map 30 set transform-set vpnset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 102
crypto map newmap 10 set peer 66.1.1.1
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 103
crypto map newmap 20 set peer 66.1.1.2
crypto map newmap 20 set transform-set myset
...
crypto map newmap 190 ipsec-isakmp
crypto map newmap 190 match address cubicfmmpix
crypto map newmap 190 set peer 149.1.1.1
crypto map newmap 190 set transform-set ttset
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap client authentication LOCAL
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 66.1.1.1 netmask 255.255.255.255
isakmp key ******** address 66.1.1.2 netmask 255.255.255.255
...
isakmp key ******** address 149.1.1.1 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was finally able to test it today; after some tuning I got it working. Thank you very much.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
It also shows using the VPN client to connect to the central site PIX, but you can ignore this part for your scenario...