Peer Name/IP CISCO PIX VPN - Dynamic IP / dyndns

Hello, I have a question that I was hoping someone might be able to help me with. I have my CCNA, but am still relatively a n00b when it comes to more advanced features of Cisco routers.

I am trying to make a change to an already configured CISCO PIX 515E router.

Basically my problem is that there is a remote router that has a dynamic ip address, so I signed them up for dyndns.org service that gave them a hostname (example: xxxx.dyndns.org) that resolves to the current IP address. I want to change the tunnel policy and also add a preshared key that uses this host name instead of the dynamic ip address, so that everytime the ip address changes I won't have to delete the preshared key and add another one for the new address. I have searched online to try to find others who have encountered this situation and what they did, but I have been unable so far to find out how this can be accomplished.

The help file for the java CISCO pdm says the following regarding pre-shared keys:

Peer Name/IP Enter the IP address or DNS host name of the remote peer for which you want to configure a pre-shared key.

This gives me the impression that you can use xxxx.dyndns.org instead of the current ip address but when I enter that (on the screen PreShared Keys->Add PreShare Key) it gives me the following error message:

"The IP Address is not in the correct format."

Am I misunderstanding the help file as to what is possible? What exactly does it mean when it says "Peer Name"? Does anyone have any suggestions?

I'm sure my question is not unique; I apologize for any duplication with regard to this question. If anyone has a link to some information that would be helpful I would greatly appreciate it.

Thanks! NCook

Reply to
nathanielcook
Loading thread data ...

In article , wrote: :I am trying to make a change to an already configured CISCO PIX 515E :router.

:Basically my problem is that there is a remote router that has a :dynamic ip address, so I signed them up for dyndns.org service that :gave them a hostname (example: xxxx.dyndns.org) that resolves to the :current IP address. I want to change the tunnel policy and also add a :preshared key that uses this host name instead of the dynamic ip :address, so that everytime the ip address changes I won't have to :delete the preshared key and add another one for the new address.

You can't do that with PIX 6.x.

If you have only one dynamic peer, then use an isakmp key with an IP and mask of 0.0.0.0 and trust to your shared key to keep out intruders. What also helps keep out intruders is to nat 0 the traffic and have a crypto map match address that matches only the expected traffic -- then the opponents would need the IP range as well as the shared key [on the other hand if they were able to break the shared key, they can probably get the IP addresses too.]

If you have multiple dynamic peers with overlapping IP addresses, you should consider using vpn groups (especially in PIX 7.0 which makes this clearer). If you have multiple dynamic peers with non-overlapping public IP addresses, then use distinct isakmp key with appropriate netmasks.

Reply to
Walter Roberson

Just a note to say thanks Rich for your information. I'm afraid you went a little above my head with your reply, but all the same I was able to extrapolate basically what your suggestion was. We used the IP and mask of all zeros and that seemed to work (since we only have one dynamic peer)!

btw we have firewall version 6.3something (Can that be upgraded???)

Thanks again! Nate

Reply to
nwc3po

In article , nwc3po wrote: :Just a note to say thanks Rich for your information.

Ah, you were mislead slightly by the attribution of the quote in my ..signature ;-)

:btw we have firewall version 6.3something (Can that be upgraded???)

Yes, your original posting mentions you are using a PIX 515E. The 515E supports PIX 7.0, which is a major rewrite of PIX functionality.

I haven't examined PIX 7.0 much, so I do not know whether it would have a better solution to the problem, but I have seen a couple of interesting possibilities in the crypto "profiles" examples.

Reply to
Walter Roberson

Thanks Walter (not Rich) :-)

Reply to
nwc3po

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.