I have setup a VPN through my ASA for my branch routers, Branch routers are on ADSL link and they are initiating the connection and they are able to connect to HO.On my ASA i have created dynamic-map which accepts connection dynamically.The problem is i can't initiate a connection from ASA to Branch router and also when branch routers are connected to HO when the tunnel is up though i m not able to telnet or ping to the remote branch routers??????
From what I understand you can only establish the VPN connection from ASAs side when its a L2L VPN. With ezvpn and hardware VPN clients, the client device is usually configured to automatically connect to the central VPN device when it has a internet connection. Though there is an option to manually give the username/password during connecting on the CLI. (atleast with routers)
About the VPN phase
I've onlyconfigured L2L VPN recently and in those cases the error message has usually related to the fact that the VPN connection isnt establishing for the connection you are testing. Usually means that the VPN settings dont match. Then again you are using the routers as VPN Clients so I'd guess the error is related to the fact that ASA cant initiate the connection to the client. The Client has to initiate the connection VPN connection first to give access to the remote networks.
Sorry, this is mostly me guessing. I don't really have a solid understanding of these types of VPN
When my branch routers intresting traffic initiate a connection to HO then only intresting traffic subnets from HO are able to initiate a connection.
Interesting traffic in HO 192.168.1.0 & 192.168.2.0
Interesting traffic in Branch 172.16.10.0 172.16.11.0
If suppose a pc in 172.16.10.0 initiate a connection to 192.168.1.0 then only any other PC in 192.168.1.0 can initiate a connection to branch in 172.16.10.0
If a PC in 192.168.1.0 want to initiate a connection to another subnet of branch suppose 172.16.11.0 the PC gets request timeout BUT if any PC in 172.16.11.0 initiate a connection to 192.168.1.0 then PC's from subnet 192.168.1.0 are also able to reach 172.16.11.0
Is this normal behaviour for one side static and another side dynamic IPSEC vpn.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...