Cisco router with DHCP address connecting IPSEC to Cloud Web Security service
Article ID: 165537
Updated On:
Products
Issue/Introduction
Connecting to the Cloud Web Security service using IPSEC requires that the Cloud peer know the IP address that the firewall or router is coming from. This is defined manually in your portal under network locations.
When a router has a DHCP address on its outside interface you cannot guarantee that the address will remain the same. If the address does change the network location in portal must be updated to reflect the new ip address otherwise the IPSEC tunnel will fail to establish. This can cause a site outage.
Resolution
Using the Cisco command "ip ddns . . ." it is possible to send updated ip address information into the Cloud to dynamically update the network location in your portal. This command will execute when the interface receives an ip address through DHCP.
routername(config)#ip ddns update method update-cloud
routername(DDNS-update-method)#http
routername(DDNS-HTTP)#add https://username:[email protected]/api/l?n=<h>&t=f&i=<a>&k=12345678
| username | This is your username created as part of the API keys that is created in portal under account maintenance. API key usernames must be unique. |
| Mypassword1 | password used as part of the API key |
| portal.threatpulse.com | this is where the updates are sent. Do not use an ip address here. This will resolve to a Control Pod and if the active Control pod changes to a different one you want to make sure you can still successfully update the network location |
| n=<h> | This will add the host name into the query. In this form the name will be the router name with the DNS domain suffix appended. |
| i=<a> | this will add the current IP address to the query |
| k=12345678 | this is the pre-shared key that will be used to establish the ipsec tunnel. This can be any alphanumeric character and must be at least 8 characters long. |
In order to enter the character "?" you need to do a ctrl-v first and then enter "?" (without quotes).
What will happen when this command is sent to your portal?
1 - if there is no network location defined a new location is created with the provided information in the query string.
2 - if a network location already exists for the provided hostname the IP address will be updated.
3 - if a network location already exists with a different hostname and using same IP address that was provided in the query, an error will be returned and the network location will not be created.
This HTTP query can be used in a script to create multiple network locations at a time. It can also be used from a browser to create the network location.
Confirmed to work with Cisco IOS 12.4 and 15.0.
Feedback
