We have an old Watchguard we are replacing with a Cisco ASA5510, but we are having a few problems...

One of the biggest hurdles is creating a VPN tunnel to our customers for support purposes. With the Watchguard, we just enter their DynDNS entry as the remote address, but the ASA only seems to want to use an IP address, not a host name.

Is there a way to initiate a VPN tunnel from the ASA to another firewall, which doesn't have a static IP address? All the Cisco docs I've found seem to say that the dynamic end must open up the connection, but given that most of our customers don't know what a VPN is, let alone how to initiate it and would have to wait for us to turn up on site and turn on the VPN for them, it isn't really going to work - especially as most of the emergency situations require a fix within 15 minutes, otherwise they will be sitting there with hundreds of thousands of Euros of damage!

Is this for support?

I can't answer your actual question, but surely a visit wouldn't be required. You can just ping the dyndns and then put the IP in? Obviously not ideal, but quicker than driving to site.

Alternatively, in our case we use a desktop VPN client (or ISDN dialup if their internet is down) on the support engineer's PC. Frankly since half our umpteen thousand customers are on 192.168.0.x I'm not sure how I'd even manage them on a router.

The support staff don't have access to the firewall, so they can't enter the public address of the dnydns location. Also, when we have to open 30 - 40 tunnels a day to dynamic IPs, it isn't really a long term solution.

I got an e-mail from Cisco support yesterday, and they say that they only support dynamic to static, it is not possible with Cisco routers to go from static to dynamic. Looks like I am going to get a huge bollocking and have to try and get a refund on the firewall (best part of 2K) and find another, fully featured, replacement... The trouble is, the documentation and the manufacturer's description says that it support DynDNS and VPN, but it doesn't mention that you can't use them in the constellation we need. Given that most of the cheap firewalls can do this, it seems criminal that a "top end" brand, like Cisco, doesn't support such a basic facility.

Edit: I had a thought last night, that we could possibly put the VPN on the Linux machine we use for all connections - we don't use PCs, only thin clients, the support staff all connect to a gateway Linux server and establish a connection with the remote network and use VNC or SSH onto the remote server or terminal. We can program the static IPs into the firewall and the dynamics on the Linux server.

This isn't really my field of expertise, I am only running the department as a second role and VPNs are relatively new to me, the admin who has worked with Cisco has only done so for a large hosting company, and he also never came across this restriction as all their clients had to have static IPs...

We are sending the Cisco back and will get a "professional" firewall. We can't be the only support organisation in the world that needs to open VPN tunnels to their customers on a regular basis?

Looking at Astaro and Juniper now.

We still use our Cisco's, although for support we spent a small fortune of Kaseya so we don't need VPN's to be open for remote access. We used to have VPN tunnels to our customers (as they all had business broadband with static IP's) but it was ar easier connecting by name rather that remembering machine IP's.

We've sent the Cisco ASA back, trying to get our money back due to "software defect"... We are now getting a Juniper, which was our second choice, when we bought the ASA.