Collin,

Yes, I know of this limitation, but was thinking maybe in v8.x OS that I could do some sort of static(outside,inside) policy-nat, but it seems not to be.

Thx

I actually have this exact same scenario - vendor connecting to our servers (we never connect to theirs), and we need to Policy NAT because they've already got our subnets in use for another customer's tunnel. But this means their hosts would not be able to initiate the tunnel, which is obviously problematic since we never make a connection out to them.

I know this was just yesterday, but did you come up with any solution? I guess we could just set up some sort of keepalive on our side to ping an address on their network to make sure the tunnel is kept up at all times?

The keep-alive solution was discussed, but ultimately we decided to just setup AnyConnect. It will not provide the same functionality as an L2L tunnel, access to local devices comes to mind, but it will suffice for now.

Interesting. We actually have them using client-access now, but their developers have moved to 64-bit OS and thus no more IPSec client, and we haven't yet fully implemented SSL VPN for AnyConnect (nor bought more than the 2 default licenses).

I guess we'll try out a keep-alive.

Thanks for the quick reply.

AnyConnect Essential licensing is available now for the ASA5505 $100 for 25 and 5510 $100 for 250 - you do lose the pure SSL clientless connectivity though.

AnyConnect works with 64-bit

see http://www.cisco.com/en/US/customer/docs/security/asa/asa80/license/license80.html#wp86066 and http://www.cisco.com/en/US/customer/docs/security/asa/asa82/license/license82.html#wp170910 for more.

Yeah, I've been messing with AnyConnect since I use 64-bit at home and also on my company laptop now. I like it a lot, and the clientless is very appealing for users who just need web or file share access. We just haven't had the time to fully explore it, set up dynamic access policies, etc. Maybe now is that time. :)