PIX to PIX VPN with dynDNS

    I have a very specific situation. I have a user with two sites connected
    to internet using ADSL (in Europe). He doesn't have a static address on
    any site. He would like site-to-site VPN (yes, cheap) so we are
    considering using PIX 501 on every location and using dyndns service.

    The thing is that addresses are changing every 48 hours.

    I'm avare that this could work if one address is static and other is
    dynamic or both are static, but don't know if it will work if both are

    Can I use FQDN in configuration instead of IP address for VPN parameters
    on PIX? If not pix, small router would be good too. Anyone tried that?
    If Cisco couldn't do that, is there any other solution that would work?

    Please help.
    Ivan Ostres, Jul 15, 2004
  2. You get what you pay for.
    Bad luck.
    You can, but the PIX will lookup the name only once (IIRC).
    You get one cheap product, so go out and by another cheap router. Of course,
    they lack several features, but they can deal with dyndns (cheap!) or X.31
    calls over ISDN (cheap!).

    You might have a look at Bintec.
    Lutz Donnerhacke, Jul 15, 2004
    No, the Pix will never lookup any name, the IOS Router does once and then
    saves the IP address to the config!
    You can't even configure a nameserver in PIX!

    There is another option, if you know Perl, there is a module called
    With this module you can write a Script, that checks, if the address of the
    oposite site changes and if so, changes the crypto map and ISAKMP parameters
    on PIX.
    I already dit it with IOS Routers and it works pretty stable for about two
    years now.

    Jens Haase, Jul 15, 2004
    Ivan Ostres Guest

    Actually it's a customer's problem. He was cheap. (I was consulting on
    datacenter and he came up with this question... "..by the way, can we
    Thanks a bunch, I will take a look at Bintec.
    Ivan Ostres, Jul 15, 2004
