|
Question : Using URL instead of IP address in isakmp preshare and crypto map on Cisco Pix
|
|
Hi,
This is kind of a curiosity question. I do a lot of vpns on Cisco Pixes. I have a case where a client is thinking they may want to change the ISP on one side of a vpn that I've built. In order to facilitate this they wanted me to use a URL instead of an IP address on both the isakmp pre-share key and crypto map lines of the config. So the lines that would normally look like this:
crypto map blahblahblah 15 set peer
isakmp key ******** address netmask 255.255.255.255 no-xauth no-config-mode
would end up looking like this:
crypto map blahblahblah 15 set peer fw.remotedomain.com
isakmp key ******** address fw.remotedomain.com netmask 255.255.255.255 no-xauth no-config-mode
where fw.remotedomain.com would resolve to the IP address of the remote peer.
I thought it might be as simple as setting the Pix up with a set of DNS servers to use for name resolution and using the URL instead of the IP address. But it's not. The Pix will not accept anything except an IP address.
Does anyone know if there's a way to do this?
Thanks,
Ben
|
Answer : Using URL instead of IP address in isakmp preshare and crypto map on Cisco Pix
|
|
The PIX is a security appliance and has therefore the least amount of services running... DNS resolution is not one of the services running in PIX OS. So, there is no way of doing this as you stated.
The only thing that would come close to what you want to do is a dynamic map on the peer that is NOT changing its ISP... I think this would be a bad idea so it would be better to just change the IP address to the new one when they change their ISP.
|
|
|
|
