Enabling Redirection Using A Fully-Qualified Domain Name - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 29
Setting General IPSec VPN Parameters
If you enable cluster encryption, you must also specify the IPSec shared secret by entering the cluster
Step 5
key command. This command specifies the shared secret to between IPSec peers when you have enabled
IPSec encryption. The value you enter in the box appears as consecutive asterisk characters
hostname(config-load-balancing)# cluster key shared_secret
hostname(config-load-balancing)#
For example, to set the shared secret to 123456789, enter the following command:
hostname(config-load-balancing)# cluster key 123456789
hostname(config-load-balancing)#
Enable this device's participation in the cluster by entering the participate command:
Step 6
hostname(config-load-balancing)# participate
hostname(config-load-balancing)#
Enabling Redirection Using a Fully-qualified Domain Name
To enable or disable redirection using a fully-qualified domain name in vpn load-balancing mode, use
the redirect-fqdn enable command in global configuration mode. This behavior is disabled by default.
By default, the ASA sends only IP addresses in load-balancing redirection to a client. If certificates are
in use that are based on DNS names, the certificates will be invalid when redirected to a secondary
device.
As a VPN cluster master, this security appliance can send a fully qualified domain name (FQDN), using
reverse DNS lookup, of a cluster device (another security appliance in the cluster), instead of its outside
IP address, when redirecting VPN client connections to that cluster device.
All of the outside and inside network interfaces on the load-balancing devices in a cluster must be on the
same IP network.
To do WebVPN load Balancing using FQDNs rather than IP addresses, you must do the following
configuration steps:
Enable the use of FQDNs for Load Balancing with the redirect-fqdn enable command:
Step 1
redirect-fqdn {enable | disable}
no redirect-fqdn {enable | disable}
For example,
hostname(config-load-balancing)# redirect-fqdn enable
hostname(config-load-balancing)#
Add an entry for each of your ASA outside interfaces into your DNS server, if such entries are not
Step 2
already present. Each ASA outside IP address should have a DNS entry associated with it for lookups.
These DNS entries must also be enabled for Reverse Lookup.
Enable DNS lookups on your ASA with the command - "dns domain-lookup inside" (or whichever
Step 3
interface has a route to your DNS server).
Define your DNS server IP address on the ASA; for example:
Step 4
of your DNS server).
The following is an example of a VPN load-balancing command sequence that includes an interface
command that enables redirection for a fully-qualified domain name, specifies the public interface of the
cluster as "test" and the private interface of the cluster as "foo":
OL-12172-03
hostname(config)# vpn load-balancing
dns name-server 10.2.3.4
Cisco Security Appliance Command Line Configuration Guide
Configuring Load Balancing
(IP address
29-11
Advertisement
Table of Contents
Troubleshooting
