- Contact Us
I've been setting up a new ASA for the office. This one is connected via Verizon DSL, so we don't have a static IP address. So to allow people to dial in via VPN, I need to set up DDNS.
I'm an engineer, but I'm a Cisco newbie. I'm probably missing something completely obvious, but I've been bashing my head against a brick wall for hours and I'm not seeing it.
Our ASA 5505 uses software version 8.2(1) and so far as I can see there's no way to upgrade it to anything else. It claims to have a bunch of DDNS code in it, but I can't see any way to specify how to reach the DDNS server by HTTP. First of all (at least in 'configure terminal') the 'ip ddns' command is not recognized, though the 'ddns' command is. And there's no 'http add' under 'ddns method update' (and 'http' comes back 'incomplete command').
I've seen so many people reporting that they have DynDNS working on the 5505 that there has to be something obvious I'm doing wrong. What on earth is it?
Our config follows:
asa-ma-vz# show running-config : Saved : ASA Version 8.2(1) ! hostname asa-ma-vz domain-name ourcompany.com enable password <redacted> encrypted passwd <redacted> encrypted names ddns update method DynDNS ddns both interval maximum 0 1 0 0 ! ! interface Vlan1 nameif inside security-level 100 ip address 172.24.0.2 255.255.252.0 ! interface Vlan2 nameif outside security-level 0 ddns update hostname ourcompany.dyndns.org ddns update DynDNS dhcp client update dns pppoe client vpdn group verizon ip address pppoe setroute ! interface Vlan5 shutdown nameif dmz security-level 50 ip address 172.24.254.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name ourcompany.com pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 172.24.0.0 255.252.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart <redacted crypto key> telnet timeout 5 ssh 172.24.0.0 255.252.0.0 inside ssh timeout 5 console timeout 0 vpdn group verizon request dialout pppoe vpdn group verizon localname ourcompany vpdn group verizon ppp authentication pap vpdn username ourcompany password *** dhcpd auto_config outside ! dhcpd address 172.24.3.253-172.24.3.254 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username admin password <redacted> encrypted privilege 15 ! ! prompt hostname context Cryptochecksum:<redacted> : end
Answer by Scarabaeus · Mar 30, 2011 at 04:35 PM
Hello Alistair Bell,
From what I can find ASA devices do not support HTTP structured update requests required by DynDNS.
See this Reference:
I do not have any ASA devices and therefore am not very familar with there OS; which is different from IOS on routers and some switches.
Some users have attached consumer routers (Linksys, etc.) behind the ASA device. And configured DDNS updates on the consumer router.
See this Reference:
Also from the Cisco Command Lookup for ASA IOS 8.0 release concerning DDNS update method:
Dynamic DNS (DDNS) updates the name to address and address to name mappings maintained by DNS. Of the two methods for performing DDNS updates—the IETF standard defined by RFC 2136 and a generic HTTP method—the security appliance supports the IETF method in this release.
Maybe there will be others on the forum that can shed more light on this subject.
Hope this helps.
Answer by nirvana80 · Apr 07, 2013 at 01:07 PM
I don't remember if the ASA implementation is the same as IOS but I'm pretty sure it's the same or pretty similar. This post might be of interest: http://www.dyncommunity.com/questions/32135/configure-new-digicert-certificate-used-from-03272.html
Answer by alpha-logix · Dec 08, 2011 at 08:00 PM
The above post by forgetIT, will not work. I believe it is an attempt to skim passwords or get your asa to autoupdate to an unofficial firmware. DO NOT DO IT. The auto-update command is for upgrading the ASA firmware. http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a2.html#wp1630893 BTW I am also trying to find a method to update my dyndns using an ASA, but it looks like I'm going to have to set up another device on the inside of the network to do it.
About Cisco Pix 501 2 Answers