05-29-2007 02:02 AM - edited 02-21-2020 03:04 PM
Can I configure ASA to use real-time resolution for IPSec Tunnel Peer?
I found that Cisco Ios 12.4 has command set peer with switch dynamic.
Has Asa something similar?
05-29-2007 05:49 AM
Tihomir,
What do you mean by "real-time resolution" for IPSec tunnel peer?
Do you mean to say that the remote site is getting a DHCP address and you do not the IP address when it is trying to connect?
If that is the case, then ASA can terminate a dynamic IPSec tunnel for the end peer.
Is this what you are looking for?
Let me know.
Cheers
Gilbert
05-29-2007 05:58 AM
Yes, remote site is connected via DSL line and has dynamic IP address.
That address can be registered using dynamic DNS service, so remote site has only FQDN (not static IP address).
Is it possible to use that dynamic DNS address as remote peer address?
Regards,
Tihomir
05-29-2007 06:38 AM
Tihomir,
You have to use certificates in that scenario.
Your isakmp identity matching should be done by hostname.
Your ASA and the remote site will have to be authenticated and enrolled to a CA server so that the key exchange negotiations will happen using certificates and not pre-shared keys.
Hope this explains.
Rate this post, if it helps!!
Cheers
Gilbert
05-29-2007 10:47 PM
Thank you for your answers!
Is it possible to use pre-shared keys instead of certificates?
05-30-2007 05:41 AM
If the remote site has to be connected through a FQDN, then you need to use certificates. Pre-shared keys will not do the trick.
Reason: In the certificates, the OU will match to the group through the group-matching scenario and can be tagged to a tunnel-group.
Hope this explains.
Rate this post, if it helped.
Cheers
Gilbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: