Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
2
Replies

Dynamic L2L on ASA 8.3.

Go to solution
marcosgeorgopoulos
Level 1
Level 1

‎07-05-2010 05:37 AM - edited ‎03-11-2019 11:07 AM

Hi just had a quick question.

Lets say I have a cisco ASA(running 8.3) and a cisco router( which supports IPSEC vpn)  and the ASA has a static internet address, whilst the router has a dynamic.

If I create a L2L IPSec tunnel between the two how would this work?

Could I use a solution such as dynamic dns and then use that DNS name as the Tunnel Group name and the ASA will do a DNS lookup to see if it matches any phase 1 packets from a peer matching that ip? I think this is unlikely but I believe it can be done on some cisco routers?

or does the ASA accept all connections from any peer address like it does with a RA tunnel? Which is what I think it does.

thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-05-2010 06:53 AM

Marcos,

This should got o VPN rather then firewalling.

I would suggest to use certificates + dynamic map in this case. Same way you would to in case of two routers.

You can match the certifcate to a particular tunnel group (by OU) or tunnel group matching + certificate maps.

You can apply match on dynamid crypto map to match the proxy identities.

For DNS resolution - it has not been implmeneted:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsc74898

Marcin

edit; Added enhancements and clarifications.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-05-2010 06:53 AM

Marcos,

This should got o VPN rather then firewalling.

I would suggest to use certificates + dynamic map in this case. Same way you would to in case of two routers.

You can match the certifcate to a particular tunnel group (by OU) or tunnel group matching + certificate maps.

You can apply match on dynamid crypto map to match the proxy identities.

For DNS resolution - it has not been implmeneted:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsc74898

Marcin

edit; Added enhancements and clarifications.

0 Helpful

Go to solution
marcosgeorgopoulos
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-05-2010 04:04 PM

Thank you.

That was exactly what I was after. I will ensure I put any VPN related questions in the VPN section in the furture.

cheers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card