policy-nat L2L VPN remote initiates tunnel

Unanswered Question
Nov 2nd, 2009

I have a vendor that needs to connect to my server.

He already routes my interal subnet so I need to do policy-nat.

If my server were initiating the tunnel I would have this:


names MyServerLocal MyServerGlobal VendorNetwork


access-list Local-2-Vendor permit ip host MyServerLocal VendorNetwork

access-list Global-2-Vendor permit ip host MyServerGlobal VendorNetwork


static (inside,outside) MyServerGlobal access-list Local-2-Vendor

crypto map outside_map 1 match address Global-2-Vendor

crypto map outside_map 1 set peer XX.25.26.27

crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group XX.25.26.27 type ipsec-l2l

tunnel-group XX.25.26.27 ipsec-attributes

pre-shared-key MyKey

The above works fine, but it does not allow hosts on the VendorNetwork to initiate the tunnel.

What do I need to change so that the VendorNetork can bring up the tunnel??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Phil Williamson Mon, 11/02/2009 - 09:10


Yes, I know of this limitation, but was thinking maybe in v8.x OS that I could do some sort of static(outside,inside) policy-nat, but it seems not to be.


Daniel Barr Tue, 11/03/2009 - 10:24

I actually have this exact same scenario - vendor connecting to our servers (we never connect to theirs), and we need to Policy NAT because they've already got our subnets in use for another customer's tunnel. But this means their hosts would not be able to initiate the tunnel, which is obviously problematic since we never make a connection out to them.

I know this was just yesterday, but did you come up with any solution? I guess we could just set up some sort of keepalive on our side to ping an address on their network to make sure the tunnel is kept up at all times?

Phil Williamson Tue, 11/03/2009 - 10:28

The keep-alive solution was discussed, but ultimately we decided to just setup AnyConnect. It will not provide the same functionality as an L2L tunnel, access to local devices comes to mind, but it will suffice for now.

Daniel Barr Tue, 11/03/2009 - 10:32

Interesting. We actually have them using client-access now, but their developers have moved to 64-bit OS and thus no more IPSec client, and we haven't yet fully implemented SSL VPN for AnyConnect (nor bought more than the 2 default licenses).

I guess we'll try out a keep-alive.

Thanks for the quick reply.

Phil Williamson Tue, 11/03/2009 - 10:41

AnyConnect Essential licensing is available now for the ASA5505 $100 for 25 and 5510 $100 for 250 - you do lose the pure SSL clientless connectivity though.

AnyConnect works with 64-bit

see http://www.cisco.com/en/US/customer/docs/security/asa/asa80/license/license80.html#wp86066 and http://www.cisco.com/en/US/customer/docs/security/asa/asa82/license/license82.html#wp170910 for more.

Daniel Barr Tue, 11/03/2009 - 11:09

Yeah, I've been messing with AnyConnect since I use 64-bit at home and also on my company laptop now. I like it a lot, and the clientless is very appealing for users who just need web or file share access. We just haven't had the time to fully explore it, set up dynamic access policies, etc. Maybe now is that time. :)


This Discussion