Solutions

Cisco router with DHCP address connecting IPSEC to Cloud Web Security service

Solutions ID:    KB4614
Version:    7.0
Status:    Published
Published date:    09/07/2011
Updated:    02/10/2014
 

Problem Description

Connecting to the Cloud Web Security service using IPSEC requires that the Cloud peer know the IP address that the firewall or router is coming from.  This is defined manually in your portal under network locations.

When a router has a DHCP address on its outside interface you cannot guarantee that the address will remain the same.  If the address does change the network location in portal must be updated to reflect the new ip address otherwise the IPSEC tunnel will fail to establish.  This can cause a site outage.

Resolution

Using the Cisco command "ip ddns . . ." it is possible to send updated ip address information into the Cloud to dynamically update the network location in your portal.  This command will execute when the interface receives an ip address through DHCP.

routername(config)#ip ddns update method update-cloud
routername(DDNS-update-method)#http
routername(DDNS-HTTP)#add https://username:Mypassword1@portal.threatpulse.com/api/l?n=<h>&t=f&i=<a>&k=12345678
 

username This is your username created as part of the API keys that is created in portal under account maintenance.  API key usernames must be unique.
Mypassword1 password used as part of the API key
portal.threatpulse.com this is where the updates are sent.  Do not use an ip address here.  This will resolve to a Control Pod and if the active Control pod changes to a different one you want to make sure you can still successfully update the network location
n=<h> This will add the host name into the query.  In this form the name will be the router name with the DNS domain suffix appended.
i=<a> this will add the current IP address to the query
k=12345678 this is the pre-shared key that will be used to establish the ipsec tunnel.  This can be any alphanumeric character and must be at least 8 characters long.

In order to enter the character "?" you need to do a ctrl-v first and then enter "?" (without quotes).

What will happen when this command is sent to your portal?
1 - if there is no network location defined a new location is created with the provided information in the query string.
2 - if a network location already exists for the provided hostname the IP address will be updated.
3 - if a network location already exists with a different hostname and using same IP address that was provided in the query, an error will be returned and the network location will not be created.

This HTTP query can be used in a script to create multiple network locations at a time.  It can also be used from a browser to create the network location.

Confirmed to work with Cisco IOS 12.4 and 15.0.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question