automatic initiate of ASA VPN Tunnel.

Answered Question
Apr 26th, 2007
User Badges:
  • Silver, 250 points or more

I was wondering if someone had any ideas to a problem that I am having.


I previously had configured an IOS Router that had a dynamic IP address from the ISP vpn back to a headquarters PIX. I had the PIX configured for a wildcard isakmp/crypto peer address so it did not care what IP address peer tried to vpn handshake with it. But, in order to bring up the VPN it had to be initiated from the IOS Router LAN side because of the way dynamic to static vpn is configured.


The problem I originally had was behind the IOS Router on it's LAN side I had cameras that did not generate any traffic by themselves so the VPN did not ever come up and the way I got around that was on the IOS Router I setup a bogus NTP Server IP address that was in the subnet across the VPN on the PIX side and then sourced the NTP from the IOS Router ethernet so it would automatically bring up the tunnel by itself.


Now we are trying to implement and ASA instead of and IOS router and the NTP commands are there including the source option that can be "inside" or "outside" but it is not working the way the IOS Router did. I also tried to create some sort of SNMP and/or SLA with some source options but that did not bring up the tunnel either. It is like it is not sourcing it from an IP address or interface that looks like interesting traffic.


I am wondering if it is something to do with the fact that the ASA we configured made us put IP addresses on the VLAN interfaces and then put the Ethernet Interfaces in the particular switchport access vlan instead of putting IP addresses on the Ethernet Interfaces themselves.


Anyone have any ideas to automatically initiate the vpn tunnel from within the ASA configuration?

Correct Answer by acomiskey about 10 years 2 months ago

You may have to add outside interface of ASA as interesting traffic. That is usually done when you want to syslog from a remote ASA/pix to a local syslog server. I know you are doing ntp but should be the same thing. Sounds like the same problem here. It's worth a shot anyway.


Here's the doc for pix but is similar for ASA.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Thu, 04/26/2007 - 12:19
User Badges:
  • Green, 3000 points or more

You may have to add outside interface of ASA as interesting traffic. That is usually done when you want to syslog from a remote ASA/pix to a local syslog server. I know you are doing ntp but should be the same thing. Sounds like the same problem here. It's worth a shot anyway.


Here's the doc for pix but is similar for ASA.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

shane.orr Thu, 04/26/2007 - 12:59
User Badges:
  • Silver, 250 points or more

The idea of making the outside interface part of the interesting traffic is interesting. I see what this is doing and if I could make it interesting traffic that would probably do the trick but my remote ASA Outside IP address is dynamicly assigned IP address so I dont know how to make part of the interesting traffic. Unless there is a way to specify and interface instead of an IP Address in the access list??

shane.orr Thu, 04/26/2007 - 13:30
User Badges:
  • Silver, 250 points or more

Nevermind, I set my access-list source to use the outside interface, then set my ntp source to the outside interface as well. Worked like a champ. Appreciate the advice

Actions

This Discussion