I actually have this exact same scenario - vendor connecting to our servers (we never connect to theirs), and we need to Policy NAT because they've already got our subnets in use for another customer's tunnel. But this means their hosts would not be able to initiate the tunnel, which is obviously problematic since we never make a connection out to them.
I know this was just yesterday, but did you come up with any solution? I guess we could just set up some sort of keepalive on our side to ping an address on their network to make sure the tunnel is kept up at all times?
The keep-alive solution was discussed, but ultimately we decided to just setup AnyConnect. It will not provide the same functionality as an L2L tunnel, access to local devices comes to mind, but it will suffice for now.
Interesting. We actually have them using client-access now, but their developers have moved to 64-bit OS and thus no more IPSec client, and we haven't yet fully implemented SSL VPN for AnyConnect (nor bought more than the 2 default licenses).
Yeah, I've been messing with AnyConnect since I use 64-bit at home and also on my company laptop now. I like it a lot, and the clientless is very appealing for users who just need web or file share access. We just haven't had the time to fully explore it, set up dynamic access policies, etc. Maybe now is that time. :)
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...