PIX to PIX VPN with dynDNS

Discussion in 'Cisco' started by Ivan Ostres, Jul 15, 2004.

  1. Ivan Ostres

    Ivan Ostres Guest

    Hi all,

    I have a very specific situation. I have a user with two sites connected
    to internet using ADSL (in Europe). He doesn't have a static address on
    any site. He would like site-to-site VPN (yes, cheap) so we are
    considering using PIX 501 on every location and using dyndns service.

    The thing is that addresses are changing every 48 hours.

    I'm avare that this could work if one address is static and other is
    dynamic or both are static, but don't know if it will work if both are
    dynamic.

    Can I use FQDN in configuration instead of IP address for VPN parameters
    on PIX? If not pix, small router would be good too. Anyone tried that?
    If Cisco couldn't do that, is there any other solution that would work?

    Please help.
     
    Ivan Ostres, Jul 15, 2004
    #1
    1. Advertisements

  2. You get what you pay for.
    Bad luck.
    You can, but the PIX will lookup the name only once (IIRC).
    You get one cheap product, so go out and by another cheap router. Of course,
    they lack several features, but they can deal with dyndns (cheap!) or X.31
    calls over ISDN (cheap!).

    You might have a look at Bintec.
     
    Lutz Donnerhacke, Jul 15, 2004
    #2
    1. Advertisements

  3. Ivan Ostres

    Jens Haase Guest

    No, the Pix will never lookup any name, the IOS Router does once and then
    saves the IP address to the config!
    You can't even configure a nameserver in PIX!

    There is another option, if you know Perl, there is a module called
    "net::telnet::cisco".
    With this module you can write a Script, that checks, if the address of the
    oposite site changes and if so, changes the crypto map and ISAKMP parameters
    on PIX.
    I already dit it with IOS Routers and it works pretty stable for about two
    years now.


    Jens
     
    Jens Haase, Jul 15, 2004
    #3
  4. Ivan Ostres

    Ivan Ostres Guest

    Actually it's a customer's problem. He was cheap. (I was consulting on
    datacenter and he came up with this question... "..by the way, can we
    use....")
    Thanks a bunch, I will take a look at Bintec.
     
    Ivan Ostres, Jul 15, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.