alimohammed72
asked on
SIte to Site VPN using PEER FQDN ratehr than ip address
Hello
I have cisco ASA5540 and Cisco 1811.I want Cisco 1811 to connect to ASA5540 using IPSEC LAN-LAN using peer as
"vpn.test.com " rather than ip address .What is required to be configured on ASA and 1800 to get this working.
Thanks
I have cisco ASA5540 and Cisco 1811.I want Cisco 1811 to connect to ASA5540 using IPSEC LAN-LAN using peer as
"vpn.test.com " rather than ip address .What is required to be configured on ASA and 1800 to get this working.
Thanks
Istvan Kalmar
Both of them are dynamic public address?
ASKER
ASA is static
You would need to enable DNS lookup on the ASA. This way the ASA can lookup what vpn.test.com is.
dns domain lookup <interface where DNS server is>
dns name-server <ip address of DNS server>
dns domain lookup <interface where DNS server is>
dns name-server <ip address of DNS server>
The ASA does not support DDNS in simple L2L.
Just go to the ASA and type:
#tunnel-group ?
You will see the explanation of the NAME parameter...
but what you can do is this:
name 1.1.1.1 vpn.test.com
#tunnel-group vpn.test.com type ipsec-l2l
In the other hand the Router supports DDNS Please take a look:
http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html
http://tools.cisco.com/search/JSP/search-results.get?isFormSubmit=true&strqueryid=2&websessionid=X3s2tIU5vycl15j9Ghv9LVn&strCurrentSimilarSearchBreadCrumb=&strCurrentSelectedModifierValues=&strPrevQuery=ddns&strQueryText=ddns&country=US&language=en&profile=enushomesppublished
Just go to the ASA and type:
#tunnel-group ?
You will see the explanation of the NAME parameter...
but what you can do is this:
name 1.1.1.1 vpn.test.com
#tunnel-group vpn.test.com type ipsec-l2l
In the other hand the Router supports DDNS Please take a look:
http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html
http://tools.cisco.com/search/JSP/search-results.get?isFormSubmit=true&strqueryid=2&websessionid=X3s2tIU5vycl15j9Ghv9LVn&strCurrentSimilarSearchBreadCrumb=&strCurrentSelectedModifierValues=&strPrevQuery=ddns&strQueryText=ddns&country=US&language=en&profile=enushomesppublished
If your ASA has a static address and "test.vpn.com" already points to that static addres, you can set up a standard VPN group like you would use to connect to with the Cisco VPN client software on the ASA, then use the "Easy VPN" feature of the 1811 route to have the router connect to test.vpn.com as if it were using the Cisco VPN Client software.
(Cisco does not allow dns names to be used in a Site2Site VPN)
(Cisco does not allow dns names to be used in a Site2Site VPN)
ASKER
Cisco does not allow dns names to be used in a Site2Site VPN ? I am surprised ....Does Juniper/Checkpoint support this feature ?
Thanks
Thanks
Hi
You able to make l2l VPN without static adress, but only the endpoint able to make l2lvpn!!!!!
On the center side you use public key for 0.0.0.0
and the endpoint add the center side to crypto map!
Best Regards,
Istvan
You able to make l2l VPN without static adress, but only the endpoint able to make l2lvpn!!!!!
On the center side you use public key for 0.0.0.0
and the endpoint add the center side to crypto map!
Best Regards,
Istvan
ASKER
i am looking for bidirectional
Not sure about Juniper/checkpoint but dns spoofing makes using DNS names in a Site2Site insecure (or so says Cisco) so they dropped this ability.
The EasyVPN is bidirectional and is was created for your scenario, the router will reconnect to the ASA as a bidirectional VPN Client upon booting.
The EasyVPN is bidirectional and is was created for your scenario, the router will reconnect to the ASA as a bidirectional VPN Client upon booting.
Can you show me how to use dns names in EasyVPN scenario?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.