site to site VPN using FQDN's instead of IPs

Unanswered Question
Jan 7th, 2009

Ok, I have done some research and I keep coming up with different answers and no examples. I have read that the ASA (or pix 7+) will allow you to do site to site VPNs using hostnames for peers rather then IPs. What I would like to know is how to do this, and a little explination of why it seems so difficult to find any documentation on it. I am running an ASA 8.0.4(16), and when i attempt to enter the command "crypto map xxx 10 set peer" I get "invalid hostname", unless I specify a name to IP mapping using the name command. I need some clarrification here!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Fri, 01/09/2009 - 16:46

AFAIK the only way to allow this to happen is either of these:

1. Have your remote peer configured as aggressive mode and have your ASA to be configured with dynamic crypto maps. Defining the tunnel group with the FQDN will allow the ISAKMP completion and the dynamic crypto map will not require you to define a peer address.

2. Have your ASA to use CERTIFICATES authentication using FQDN and dynamic crypto maps.

ryancolson Fri, 01/09/2009 - 18:53

Thank you for your response. Doesnt 7+ code still force them into using the remote access tunnel group instead of the L2L one? Every time i have tried this before, defining a tunnel group L2L the connections come in and I get an error message in the console about the defaltRA group.


This Discussion