Peer Name/IP CISCO PIX VPN - Dynamic IP / dyndns

Discussion in 'Cisco' started by nathanielcook@gmail.com, Aug 22, 2005.

  1. Guest

    Hello, I have a question that I was hoping someone might be able to
    help me with. I have my CCNA, but am still relatively a n00b when it
    comes to more advanced features of Cisco routers.

    I am trying to make a change to an already configured CISCO PIX 515E
    router.

    Basically my problem is that there is a remote router that has a
    dynamic ip address, so I signed them up for dyndns.org service that
    gave them a hostname (example: xxxx.dyndns.org) that resolves to the
    current IP address. I want to change the tunnel policy and also add a
    preshared key that uses this host name instead of the dynamic ip
    address, so that everytime the ip address changes I won't have to
    delete the preshared key and add another one for the new address. I
    have searched online to try to find others who have encountered this
    situation and what they did, but I have been unable so far to find out
    how this can be accomplished.

    The help file for the java CISCO pdm says the following regarding
    pre-shared keys:

    Peer Name/IP
    Enter the IP address or DNS host name of the remote peer for which you
    want to configure a pre-shared key.

    This gives me the impression that you can use xxxx.dyndns.org instead
    of the current ip address but when I enter that (on the screen
    PreShared Keys->Add PreShare Key) it gives me the following error
    message:

    "The IP Address is not in the correct format."

    Am I misunderstanding the help file as to what is possible? What
    exactly does it mean when it says "Peer Name"? Does anyone have any
    suggestions?

    I'm sure my question is not unique; I apologize for any duplication
    with regard to this question. If anyone has a link to some information
    that would be helpful I would greatly appreciate it.

    Thanks!
    NCook
     
    , Aug 22, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :I am trying to make a change to an already configured CISCO PIX 515E
    :router.

    :Basically my problem is that there is a remote router that has a
    :dynamic ip address, so I signed them up for dyndns.org service that
    :gave them a hostname (example: xxxx.dyndns.org) that resolves to the
    :current IP address. I want to change the tunnel policy and also add a
    :preshared key that uses this host name instead of the dynamic ip
    :address, so that everytime the ip address changes I won't have to
    :delete the preshared key and add another one for the new address.

    You can't do that with PIX 6.x.

    If you have only one dynamic peer, then use an isakmp key with
    an IP and mask of 0.0.0.0 and trust to your shared key to keep out
    intruders. What also helps keep out intruders is to nat 0 the traffic
    and have a crypto map match address that matches only the expected
    traffic -- then the opponents would need the IP range as well as
    the shared key [on the other hand if they were able to break the
    shared key, they can probably get the IP addresses too.]

    If you have multiple dynamic peers with overlapping IP addresses,
    you should consider using vpn groups (especially in PIX 7.0 which
    makes this clearer). If you have multiple dynamic peers with
    non-overlapping public IP addresses, then use distinct isakmp key
    with appropriate netmasks.
    --
    Any sufficiently advanced bug is indistinguishable from a feature.
    -- Rich Kulawiec
     
    Walter Roberson, Aug 22, 2005
    #2
    1. Advertising

  3. nwc3po Guest

    Just a note to say thanks Rich for your information. I'm afraid you
    went a little above my head with your reply, but all the same I was
    able to extrapolate basically what your suggestion was. We used the IP
    and mask of all zeros and that seemed to work (since we only have one
    dynamic peer)!

    btw we have firewall version 6.3something (Can that be upgraded???)

    Thanks again!
    Nate
     
    nwc3po, Aug 23, 2005
    #3
  4. In article <>,
    nwc3po <> wrote:
    :Just a note to say thanks Rich for your information.

    Ah, you were mislead slightly by the attribution of the quote in my
    ..signature ;-)


    :btw we have firewall version 6.3something (Can that be upgraded???)

    Yes, your original posting mentions you are using a PIX 515E.
    The 515E supports PIX 7.0, which is a major rewrite of PIX functionality.

    I haven't examined PIX 7.0 much, so I do not know whether it would
    have a better solution to the problem, but I have seen a couple of
    interesting possibilities in the crypto "profiles" examples.

    --
    Feep if you love VT-52's.
     
    Walter Roberson, Aug 23, 2005
    #4
  5. nwc3po Guest

    Thanks Walter (not Rich) :)
     
    nwc3po, Aug 24, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. c
    Replies:
    2
    Views:
    845
  2. Ivan Ostres

    PIX to PIX VPN with dynDNS

    Ivan Ostres, Jul 15, 2004, in forum: Cisco
    Replies:
    3
    Views:
    4,180
    Ivan Ostres
    Jul 15, 2004
  3. Igor Mamuzic

    DynDNS or not to DynDNS doubt

    Igor Mamuzic, Nov 16, 2005, in forum: Cisco
    Replies:
    4
    Views:
    1,668
    Config T
    Nov 23, 2005
  4. Chino
    Replies:
    0
    Views:
    457
    Chino
    Oct 4, 2006
  5. Replies:
    1
    Views:
    1,094
    Morph
    Mar 15, 2008
Loading...

Share This Page