Connecting to the Cloud Web Security service using IPSEC requires that the Cloud peer know the IP address that the firewall or router is coming from. This is defined manually in your portal under network locations.
When a router has a DHCP address on its outside interface you cannot guarantee that the address will remain the same. If the address does change the network location in portal must be updated to reflect the new ip address otherwise the IPSEC tunnel will fail to establish. This can cause a site outage.
Using the Cisco command "ip ddns . . ." it is possible to send updated ip address information into the Cloud to dynamically update the network location in your portal. This command will execute when the interface receives an ip address through DHCP.
This is your username created as part of the API keys that is created in portal under account maintenance. API key usernames must be unique.
password used as part of the API key
this is where the updates are sent. Do not use an ip address here. This will resolve to a Control Pod and if the active Control pod changes to a different one you want to make sure you can still successfully update the network location
This will add the host name into the query. In this form the name will be the router name with the DNS domain suffix appended.
this will add the current IP address to the query
this is the pre-shared key that will be used to establish the ipsec tunnel. This can be any alphanumeric character and must be at least 8 characters long.
In order to enter the character "?" you need to do a ctrl-v first and then enter "?" (without quotes).
What will happen when this command is sent to your portal? 1 - if there is no network location defined a new location is created with the provided information in the query string. 2 - if a network location already exists for the provided hostname the IP address will be updated. 3 - if a network location already exists with a different hostname and using same IP address that was provided in the query, an error will be returned and the network location will not be created.
This HTTP query can be used in a script to create multiple network locations at a time. It can also be used from a browser to create the network location.
Confirmed to work with Cisco IOS 12.4 and 15.0.
Imported Document ID: 000008566
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.