PIX 515R VPN set peer command

[sebastianganson]

Apologies if this question has already been posted.

I am trying to determine whether or not I can use a dns entry for the set peer command on our PIX to establish a VPN connection to another (non-Cisco) Firewall. The non-Cisco firewall does not have a static IP Address and we do not want to set the IP address of the incoming host to be just ANY ip address. It was therefore suggested that instead of using (eg.)

crypto map PIXTONOTPIX 20 set peer 111.111.111.111

we could use

crypto map PIXTONOTPIX 20 set peer them.there.com

(in anticipation of the question, the NOTPIX side has a method of dynamically updating their DNS entry whenever their ISP provided IP address is reset which is why the DNS entry would virtually be a static entry)

I tried searching at Cisco's site, but all of the examples use IP Addresses and no dns entries.

In addition, this may not have any bearing on the matter, I am unable to ping from the PIX to anywhere with anything other than an IP Address which is what causes me to worry about using a dns entry in the peer command.

Is there something else I need to set, or will this config just not work?

Regards,
Sebastian

 

[netwrkr]

I think this link

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/c.htm#xtocid11

will provide you some insight to your question. Basically if you setup a dynamic map, the PIX does not need to previously know about the peer -- so while this may not be an idea solution if you are doing something like certificate based authentication it should be an acceptable trade off.

Barring that, if you know the netblock your peer will be in you can setup crypto map and isakmp to allow in a broader range of IPs while still restricting most of the Internet hosts from accessing your PIX.

I don't think their is any setting in the PIX to perform name resolution, therefore I don't believe you can use a hostname in your configuration.

Tom