Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asa and real-time resolution for IPSec Tunnel Peer.

Can I configure ASA to use real-time resolution for IPSec Tunnel Peer?

I found that Cisco Ios 12.4 has command set peer with switch dynamic.

Has Asa something similar?

5 REPLIES
Cisco Employee

Re: Asa and real-time resolution for IPSec Tunnel Peer.

Tihomir,

What do you mean by "real-time resolution" for IPSec tunnel peer?

Do you mean to say that the remote site is getting a DHCP address and you do not the IP address when it is trying to connect?

If that is the case, then ASA can terminate a dynamic IPSec tunnel for the end peer.

Is this what you are looking for?

Let me know.

Cheers

Gilbert

New Member

Re: Asa and real-time resolution for IPSec Tunnel Peer.

Yes, remote site is connected via DSL line and has dynamic IP address.

That address can be registered using dynamic DNS service, so remote site has only FQDN (not static IP address).

Is it possible to use that dynamic DNS address as remote peer address?

Regards,

Tihomir

Cisco Employee

Re: Asa and real-time resolution for IPSec Tunnel Peer.

Tihomir,

You have to use certificates in that scenario.

Your isakmp identity matching should be done by hostname.

Your ASA and the remote site will have to be authenticated and enrolled to a CA server so that the key exchange negotiations will happen using certificates and not pre-shared keys.

Hope this explains.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080637127.html#wp1052788

Rate this post, if it helps!!

Cheers

Gilbert

New Member

Re: Asa and real-time resolution for IPSec Tunnel Peer.

Thank you for your answers!

Is it possible to use pre-shared keys instead of certificates?

Cisco Employee

Re: Asa and real-time resolution for IPSec Tunnel Peer.

If the remote site has to be connected through a FQDN, then you need to use certificates. Pre-shared keys will not do the trick.

Reason: In the certificates, the OU will match to the group through the group-matching scenario and can be tagged to a tunnel-group.

Hope this explains.

Rate this post, if it helped.

Cheers

Gilbert

275
Views
4
Helpful
5
Replies
CreatePlease to create content