Any way to bring up a tunnel from within the router/firewall?

Unanswered Question
Sep 14th, 2007

I've set up a number of site-to-site IPSEC tunnels, but the one thing that I can't seem to get is: Is there any way to bring the tunnel up if I am not actually at one of the endpoints?

...usually I can just tell one of the people at either end to do a PING or something so that the "interesting traffic" access-list gets a hit and brings up the tunnel, but if it's midnight and I'm SSH-ed into a firewall from home and I want to bring up the tunnel to see that it's working, can I do it using any commands on the router/firewall... my understanding is that traffic sourced from the router/firewall won't hit any access lists, so I can't bring up the tunnel with a simple PING. (or is my understanding wrong?)

Any ideas or "tricks" that people use to accomplish this?

Thomas Dzubin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (5 ratings)
Loading.
aghaznavi Fri, 09/21/2007 - 08:36

Currently, there is an existing L2L tunnel set up between the NY(HQ) office and TN office. Your company has recently opened a new office that is located in TX. This new office requires connectivity to local resources that are located in the NY and TN offices. In addition, there is an additional requirement to allow employees the opportunity to work from home and securely access resources that are located on the internal network remotely. In this example, a new VPN tunnel is configured as well as a remote access VPN server that is located in the the NY office.

In this example, two commands are used in order to allow the communication between the VPN networks and identify the traffic that should be tunneled or encrypted. This enables you to have access to the internet without having to send that traffic through the VPN tunnel. In order to configure these two options, issue the split-tunnel and same-security-traffic commands.

thomasdzubin Fri, 09/21/2007 - 11:25

I'm guessing "aghaznavi" is a bot? Plugging in various recent "aghaznavi" replies into Google seems to show direct cut-and-pasting from various Cisco documents that may or (in this case) may not be relevant. This is a great example... aghaznavi's reply here is a direct cut-and-paste from Cisco Document ID 82020:

"PIX/ASA 7.X : Add a New Tunnel or Remote Access to an Existing L2L VPN"

Oh well.

ajagadee Fri, 09/28/2007 - 11:13

Hi,

For the IPSEC Tunnel to be built, traffic must that matches crypto access-list.

Scenario 1:

10.1.1.x/24 - Router1 --- Internet --- Router2 - 192.168.1.x/24

In the above case, if you are doing IPSEC Tunnel from 10.1.1.x/24 to 192.168.1.x/24 and want to bring up the tunnel. You could send generate traffic from the router using an extended ping. Ping source 10.1.1.x/24 and destination 192.168.1.x/24.

Scenario 1:

10.1.1.x/24 Router3 -- 172.16.1.x/24 -- Router1 --- Internet --- Router2 172.16.2.x/24 - Router4 - 192.168.1.x/24

In the above case, if you are doing IPSEC Tunnel from 10.1.1.x/24 to 192.168.1.x/24 and want to bring up the tunnel. You need to log on to Router 3 or Router 4 to source the traffic from 10.1.1.x/24 or 192.168.1.x/24 to bring up the tunnel.

Scenario 3:

10.1.1.x/24 - Pix/ASA --- Internet --- Pix/ASA - 192.168.1.x/24

In the above case, if you are doing IPSEC Tunnel from 10.1.1.x/24 to 192.168.1.x/24 and want to bring up the tunnel. You could bring up the tunnel by having someone from 10.1.1.x or 192.168.1.x since you cannot do an extended ping from the PIX or ASA.

With 7.0 release for Pix and ASA, there are some enhancements to the Ping Command but cannot specify the source address.

ICMP Ping Services

This feature introduces several additions to ping (ICMP echo) services, including support for IPv6 addresses. The ping command also supports extended options including data pattern, df-bit, repeat count, datagram size, interval, verbose output, and sweep range of sizes.

The existing ping EXEC command has been extended with various keywords and parameters to aid in troubleshooting network connectivity issues. It also provides support for an interactive mode of operation.

More details:

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1589514

In your case:

1. You can have some generate traffic that matches the crypto map acl.

2. SSH or Telnet into one of the devices in the 10.1.1.x or 192.168.1./x and then source traffic from there.

I hope it helps.

Please do share if you have any other ideas on this.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

acomiskey Fri, 09/28/2007 - 11:20

Another easy solution is to add the source address, the pix outside interface address, as interesting traffic to a device on the remote subnet. Therefore when you ping/telnet etc. from the pix to the remote subnet, this traffic is interesting and is tunneled bringing up the vpn.

Local Pix - ip address outside 1.1.1.1

access-list crypto permit ip host 1.1.1.1 192.168.1.0 255.255.255.0

Remote Pix

access-list crypto permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

Actions

This Discussion