DDNS and Cisco Gear

Keeping track of remote offices that are on VPN connections or arent connected to the corporate network when an MPLS connection is an option can be a challenge. Some ISP’s really want to gouge you for a “static” ip that may not be really static. This is where Dynamic DNS comes into play. Cisco Routers have support for DDNS built in. ASA’s are starting to get support (you can see early signs in the 8.2.2 rev code). In this case, you will need to put a PC behind the ASA running some type of DDNS client (DynInc and OpenDNS both have these types of clients available for download).

If you are using a Cisco router on a public internet connection, it is safe to assume that you are running either the IOS Firewall or Zone Based Firewall options. You wont find how to do DDNS well documented on Cisco’s website but one thing to remember is that you will need to allow DDNS from the Out Zone to the Self Zone or you will see the DDNS process start but never get completed. There are several debug ddns commands that you can take advantage of to make sure that everything is working as expected.

If you arent already using service encryption-password to protect enable and other login passwords on the router, now would be good time to do so. When setting of DDNS on a router, your login name and password for the DDNS service will be in the clear. Do some digging into how the particular DDNS service that you will be using works. The main thing you need to look at is that server(s) you will be talking to and what one(s) will be responding. It would be a good idea to really lock down the ACL on the Zone Based Firewall to only allow return DDNS traffic to come from the sources you are expecting to that someone can either start spoofing or otherwise causing problems for you.

Send to Kindle
This entry was posted in Blog Entries. Bookmark the permalink.