Solved: IPSEC VPN Between Pix 515E and 1841 Router

veltech · ‎08-05-2012

Hi All,

BACKGROUND

We have set up a site to site IPSEC VPN between a Pix 515E running 8.0 (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and ASDM on the pix to build the initial tunnels. Now the site with the router is changing to a Dynamic IP address from the ISP so we have set up Dynamic DNS to update the dynamic IP address.

PROBLEM

The problem we have is that ASDM will not allow us to set a domain as the peer address, it will only accept an IP address. We think the solution will be to remove the static Crypto Map and replace with a Dynamic Crypto map on the Pix side. Our questions are simply; is this the best solution? can we edit the original static list or is it better to delete and make a new dynamic crypto map? Is there a short cut to change the config in command line? This is a live network so just want to check before we make changes on live kit.

Any help greatly appreciated.

Karsten Iwen · ‎08-06-2012

You don't have to change anything when the peer-address changes. The purpose of the dynamic crypto-map is to take connections from dynamic peers. The only thing to remember is, that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared-Keys as now you have to use a wildcard-PSK.

As far as I remember, the PIX/ASA doesn't support the usage of FQDNs for dynamic peer-resolution. In IOS this feature is supported.

For functionality, it would be best to get back to static IP-addresses on both sides.

View solution in original post

Karsten Iwen · ‎08-05-2012

You can't delete the static crypto map and replace it with a dynamic one. The dynamic crypto-maps are included into the static crypto-maps and the static crypto map stays on the interface. That should look like that:

crypto dynamic-map dynmap 10 set transform-set esp-aes256-sha

crypto dynamic-map dynmap 10 set reverse-route

crypto map vpn-map 1 match address CRYPTO-PEER1

crypto map vpn-map 1 annotation Connection to Peer 1

crypto map vpn-map 1 set peer 1.2.3.4

crypto map vpn-map 1 set transform-set esp-aes256-sha

crypto map vpn-map 1 set reverse-route

crypto map vpn-map 65000 ipsec-isakmp dynamic dynmap

crypto map vpn-map interface outside

If you only have the one denymic connection, then skip everything with the sequence "1".

Another possibility is to configure the 1841 as an EasyVPN-remote and the PIX as a EasyVPN-Server but the above solution should be easier to implement.

veltech · ‎08-06-2012

Hi

Thanks for response.

The VPN is working fine but the problem is we want to set the peer address on the pix to a domain name to avoid reconfiguration every time the IP address changes with the ISP. If we do an nslookup it resolves correctly.

When we enter ".... set peer any.domain.net" we get "can not interperet ip address" in ASDM and in CLI it will not work either.

Any ideas ?

Thanks.

Karsten Iwen · ‎08-06-2012

You don't have to change anything when the peer-address changes. The purpose of the dynamic crypto-map is to take connections from dynamic peers. The only thing to remember is, that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared-Keys as now you have to use a wildcard-PSK.

As far as I remember, the PIX/ASA doesn't support the usage of FQDNs for dynamic peer-resolution. In IOS this feature is supported.

For functionality, it would be best to get back to static IP-addresses on both sides.

veltech · ‎08-07-2012

Thanks for your help. As you say the FQDNs is not supported on the pix/asa so we will configure a dynamic VPN instead. It is rare that we would use a dynamic IP address we normally use statics and I have only ever used static addresses at both ends.

Thanks again