Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 515E ver 7.2 and VPN peers

Thread Tools

PIX 515E ver 7.2 and VPN peers

Posts: n/a
Is there any way to use FQDN when using Lan-2-lan VPN with the set peer

thank you.

Reply With Quote
Walter Roberson
Posts: n/a
In article <(E-Mail Removed). com>,
XaBi <(E-Mail Removed)> wrote:
>Is there any way to use FQDN when using Lan-2-lan VPN with the set peer

A 'name' command can use periods in the name, so a 'name' can
*look* like a FQDN.

I have not been following PIX 7 closely, so there might be
a new feature that I have missed, but in PIX 6 there is no way
to have DNS lookup done on entered names, not even at the time
the name is first entered into the configuration. In order to
do something like that, you would need to be able to configure
a DNS server to refer to; as best I recall, PIX 7 does not
offer that (PIX 6 definitely does not.)

To use FQDN in configurations, you also need well-defined rules
about when the address associated with the FQDN will be re-inspected.

Simple "look it up at need" rules do not work, because given a DNS
facility, people would expect to be able to use FQDN in ACLs.
Every random port-scanning machine, known upon contact only by IP
address, -might- be a match for any FQDN, so you can expect that
nearly every FQDN in ACLs will need expansion often. But DNS
entries change much more often then firewalls get rebooted...

There are semantic issues to deal with if you use a FQDN as a
crypto peer. If the IP address associated with the FQDN changes,
what should happen to any active tunnel? You might say,
"well, only look up the IP address when the tunnel gets triggered",
but on an active tunnel, because of automatic renewal, the next
trigger might not be until the next reboot (or next network failure).
So you might want to impart semantics about checking the IP when
a SA (Security Association) lifetime is expiring, but what do you do if
the old tunnel is working perfectly and you cannot contact the new IP
or cannot authenticate to it? Then too, a SA is a IKE Phase 2 entity but
choice of peer is really an IKE Phase 1 matter, so you should deal
at Phase 1 renewal instead of at the SA level... which still has
questionable semantics re: if the new IP does not work.

You can have multiple crypto peer IP addresses, with fallback
semantics well defined. Does that mean that if you get multiple A
records back from the DNS lookup, that you should treat all
the IPs as if they had been listed as crypto peers? If so, then in
what order, considering that DNS servers often randomize the order
(in order to distribute load)? If you got one order before and a
different order now when it is time for a Phase 1 renewal, then which
IP should be renewed against? What additional features need to be
added to be able to deduce an ordering preference, since not all
of the IP addresses will necessarily be reachable (or optimal) through the
interface the crypto map is applied to?
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Belkin N1 Wireless USB Adapter (F5D8051 ver 2010uk) and Channel 13. Notes on Pre-N Notebook card (F5D8010 ver 1001uk), Wireless G Notebook card (F5D7011 ver 1000uk) and Wireless G Plus router (F5D7231-4 ver 3000uk) John Wireless Networking 1 07-27-2009 08:41 AM
Images; Sony A100 ver Nikon D80 ver Canon Rebel XTi ver Canon 30D Rich Digital Photography 0 10-13-2006 06:45 PM
PIX 515E ver. 7.1 PPTP?? XaBi Cisco 3 07-25-2006 12:57 PM
PIX 515E, VPN client has no route to outside network via vpn Clemens Schwaighofer Cisco 7 06-13-2005 03:48 PM
VPN in and VPN out on same port on PIX 515E...possible? Steve Baker Cisco 8 04-26-2004 07:10 PM