SIte to Site VPN using PEER FQDN ratehr than ip address

alimohammed72
alimohammed72 used Ask the Experts™
on
Hello

I have cisco ASA5540 and Cisco 1811.I want Cisco 1811 to connect to ASA5540 using IPSEC LAN-LAN using peer as
"vpn.test.com " rather than ip address .What is required to be configured on ASA and 1800 to get this working.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Both of them are dynamic public address?

Author

Commented:
ASA is static

Commented:
You would need to enable DNS lookup on the ASA. This way the ASA can lookup what vpn.test.com is.

dns domain lookup <interface where DNS server is>
dns name-server <ip address of DNS server>
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Commented:
The ASA does not support DDNS in simple L2L.
Just go to the ASA and type:
#tunnel-group ?

You will see the explanation of the NAME parameter...
but what you can do is this:

name 1.1.1.1 vpn.test.com
#tunnel-group  vpn.test.com type ipsec-l2l

In the other hand the  Router supports DDNS Please take a look:
http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html

http://tools.cisco.com/search/JSP/search-results.get?isFormSubmit=true&strqueryid=2&websessionid=X3s2tIU5vycl15j9Ghv9LVn&strCurrentSimilarSearchBreadCrumb=&strCurrentSelectedModifierValues=&strPrevQuery=ddns&strQueryText=ddns&country=US&language=en&profile=enushomesppublished
If your ASA has a static address and "test.vpn.com" already points to that static addres, you can set up a standard VPN group like you would use to connect to with the Cisco VPN client software on the ASA, then use the "Easy VPN" feature of the 1811 route to have the router connect to test.vpn.com as if it were using the Cisco VPN Client software.

(Cisco does not allow dns names to be used in a Site2Site VPN)

Author

Commented:
Cisco does not allow dns names to be used in a Site2Site VPN ? I am surprised ....Does Juniper/Checkpoint support this  feature ?

Thanks
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi

You able to make l2l VPN without static adress, but only the endpoint able to make l2lvpn!!!!!

On the center side you use public key for 0.0.0.0
and the endpoint add the center side to crypto map!

Best Regards,
Istvan

Author

Commented:
i am looking for bidirectional
Not sure about Juniper/checkpoint but dns spoofing makes using DNS names in a Site2Site insecure (or so says Cisco) so they dropped this ability.

The EasyVPN is bidirectional and is was created for your scenario, the router will reconnect to the ASA as a bidirectional VPN Client upon booting.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Can you show me how to use dns names in EasyVPN scenario?
You do not appear to be the author of this question.... but, sure

1)  On the ASA, if you have not done so already, create a Network (Client) Access VPN similar to the one outlined in these instructions.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

2) Contact your DNS provider and have them map the A record "vpn.test.com" (or whatever your chosen dns name is) to the ip address of the ASA's outside interface.

3) Log in to the 1811 router SDM and click "configure", "VPN", "Easy VPN Remote" and run the Wizard. Enter a "tunnel name", for "Easy VPN Server" enter "vpn.test.com" (or whatever your chosen dns name is),  for group name enter the tunnel group you created in step 1, for the key enter the key created in step 1, and complete the wizard.

See this document for additional details of this step:

http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/application/notes/EZVPNCan.pdf

4) test connectivity

Done

The router will boot, resolve vpn.test.com, connect to the resolved IP address as a VPN Client, and reconnect if the connection is interupted or times out.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial