Hi just had a quick question.
Lets say I have a cisco ASA(running 8.3) and a cisco router( which supports IPSEC vpn) and the ASA has a static internet address, whilst the router has a dynamic.
If I create a L2L IPSec tunnel between the two how would this work?
Could I use a solution such as dynamic dns and then use that DNS name as the Tunnel Group name and the ASA will do a DNS lookup to see if it matches any phase 1 packets from a peer matching that ip? I think this is unlikely but I believe it can be done on some cisco routers?
or does the ASA accept all connections from any peer address like it does with a RA tunnel? Which is what I think it does.
This should got o VPN rather then firewalling.
I would suggest to use certificates + dynamic map in this case. Same way you would to in case of two routers.
You can match the certifcate to a particular tunnel group (by OU) or tunnel group matching + certificate maps.
You can apply match on dynamid crypto map to match the proxy identities.
For DNS resolution - it has not been implmeneted:
edit; Added enhancements and clarifications.