Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 515 to resolve DNS for VPN 1

Status
Not open for further replies.
tonymullen

tonymullen

MIS
Jan 3, 2003
68
0
0
GB
Hi, I just have a quick question. In the office we have a Pix 515 that VPNs to a number of sites. I have in a remote location got a Pix 501 that is connected to an ADSL line, receiving a dynamic ip address.

I can give this a domain name using no-ip so it's got an internet address of server.no-ip.com that points to my dynamic ip address.

Now the question - how do I get the 515 to resolve the address? I've tried pinging domains from the console and it does not resolve the internet address & I cant see anywhere in my config that specifies a DNS server. Do I just need to add a dns line and what is the syntax for it?

Thanks again,

Tony
 
Sort by date Sort by votes

Bad luck unfortuantly, the PIX doesn't support DNS resolution for "security reasons". A way around this which I use is to setup a DNS Server on the internal network to the 515 and then map the domain traffic to it..


Hope that helps,


Cheers, Andy

Andy Simpson CNE, MCSE, CCA, CCNA
 
Upvote 0 Downvote
The PIX wont resolve the DNS request on behalf of a client, and there is no command to allow DNS lookup from the command line.

There is a name command, this maps an IP address to a name like a host file. You could then ping the name.

If you want DNS addresses supplying to your users at the remote sites then you can do this with DHCP on the PIX. Configure the PIX to supply all the IP details they require.
 
Upvote 0 Downvote
Thanks for the response. I'm not sure I understand the dns server answer. I need to do a crypto set peer line for my 501 that has a dynamic IP address.

I thought I'd be able to do:
crypto map mapname set peer server.no-ip.com

obviously not if it won't do dns lookup, but how does a dns server help? I was sure I'd seen somewhere that you can do a vpn using dynamic IP addresses & everywhere I've seen it seems to vaguely point to using a no-ip type service.

thanks again

Tony
 
Upvote 0 Downvote
The problem as I see it is that you are trying to establish a VPN from the central PIX to the remote PIX. But the remote PIX's IP address is supplied by DHCP by the ISP. Therefore you cannot configure the preshared key for IKE on the central PIX, as you dont know the remote PIX outside IP address?

If that's the case have a read of this Cisco document, may point you in the right direction.

 
Upvote 0 Downvote
Thanks, that's exactly what I was after. I was just thinking of it in the wrong terms - I didn't realise that you could do dynamic vpn commands. I'll give it a go at the weekend but I'm sure that will work now.

Tony
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
138
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
167
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
51
WhosYourDiffie
WhosYourDiffie
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
118
XLNTech1
XLNTech1

Part and Inventory Search

Sponsor

Back
Top