Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
3
Replies

Tunnel Initiation problem

a.shaukat
Level 1
Level 1

‎04-12-2007 09:03 PM - edited ‎03-11-2019 02:59 AM

I am running ASA5520 with Outside, Inside, Client and Branch interfaces.

The inside interface connects to the Server farm network (192.168.0.0) only.

The client interface connects all the clients on the LAN network (172.16.0.0) to the branches (through Branch interface) and server farm with each otehr.. all these 3 interfaces ar on same security level (100).

The branch interface connets to a Border router 3825 that has all the remote brnaches on DSl and point-to-point links connecting to it.

All branches have SOHO routers 837 and connects through DSl (Data circuit) to the 3825 router at the Head office, through a VPN tunnel. the VPN config at the head office 3825 is dynamic crypto map and the branche have static with head office ip as the peer.

The problem that i am facing is .. the vpn tunnel is initiated only when a packet destined to the inside or client network is sent...

eg when a ping for network 192.168.0.0 is run only then it allows the branches to access the server farm network.

Now to connect to the client network (172.16.0.0) i have to ping again to any host on 172.16.0.0 from the branch..

my question.. since there is only one VPN tunnel from branch to head office. then why do i need to ping from the branch to 192.168.0.0 and 172.16.0.0 both seperately ?? i dont really havea problem for the 192.16.0.0. network cause everyne at the branch connects to the servers for e mail internet etc.. but 172.16.0.0. is a problem...

Cant there be a way to auto initiate the connection to 172.16.0.0 network ..... riht now i have a script running at startup on the branches that pings 172.16.0.1 ip to initiate the tunnel..

************** H E L P **************

Labels:
0 Helpful
3 Replies 3

a.shaukat
Level 1
Level 1

‎04-12-2007 09:22 PM

attached is the netwrok diagram for clearification..

Preview file
43 KB
0 Helpful

bbacola
Level 1
Level 1
In response to a.shaukat

‎04-13-2007 09:05 AM

Each VPN tunnel has its own crypto map that must be activated. The specified "interesting" traffic should be enough to bring up the tunnel so there shouldnt be a need to ping across the tunnel.

0 Helpful

a.shaukat
Level 1
Level 1
In response to bbacola

‎04-14-2007 12:01 AM

theres only one vpn tunnel being initiated..

through that tunnel one subnet(192.168.0.0) is successfully connected while the other subnet (172.16.0.0) cannot.

y ?? cause since the branch location (192.168.6.0) did not send any packet to 172.16.0.0 network.. the second this branch send the first ping packet to any machine on 172.16.0.0 subnet the link is established..

but this is a problem for me since i want this link to be established if anyone on the 172.16.0.0 subnet pings to 192.168.6.0 subnet..

can this be done.. ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card