Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

policy-nat L2L VPN remote initiates tunnel

I have a vendor that needs to connect to my server.

He already routes my interal subnet so I need to do policy-nat.

If my server were initiating the tunnel I would have this:

!

names

192.168.1.1 MyServerLocal

10.168.1.1 MyServerGlobal

10.1.1.0 VendorNetwork

!

access-list Local-2-Vendor permit ip host MyServerLocal VendorNetwork 255.255.255.0

access-list Global-2-Vendor permit ip host MyServerGlobal VendorNetwork 255.255.255.0

!

static (inside,outside) MyServerGlobal access-list Local-2-Vendor

crypto map outside_map 1 match address Global-2-Vendor

crypto map outside_map 1 set peer XX.25.26.27

crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group XX.25.26.27 type ipsec-l2l

tunnel-group XX.25.26.27 ipsec-attributes

pre-shared-key MyKey

The above works fine, but it does not allow hosts on the VendorNetwork to initiate the tunnel.

What do I need to change so that the VendorNetork can bring up the tunnel??

7 REPLIES

Re: policy-nat L2L VPN remote initiates tunnel

You can't. Read the Introduction on the following link for an explaination.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Hope it helps.

Community Member

Re: policy-nat L2L VPN remote initiates tunnel

Collin,

Yes, I know of this limitation, but was thinking maybe in v8.x OS that I could do some sort of static(outside,inside) policy-nat, but it seems not to be.

Thx

Community Member

Re: policy-nat L2L VPN remote initiates tunnel

I actually have this exact same scenario - vendor connecting to our servers (we never connect to theirs), and we need to Policy NAT because they've already got our subnets in use for another customer's tunnel. But this means their hosts would not be able to initiate the tunnel, which is obviously problematic since we never make a connection out to them.

I know this was just yesterday, but did you come up with any solution? I guess we could just set up some sort of keepalive on our side to ping an address on their network to make sure the tunnel is kept up at all times?

Community Member

Re: policy-nat L2L VPN remote initiates tunnel

The keep-alive solution was discussed, but ultimately we decided to just setup AnyConnect. It will not provide the same functionality as an L2L tunnel, access to local devices comes to mind, but it will suffice for now.

Community Member

Re: policy-nat L2L VPN remote initiates tunnel

Interesting. We actually have them using client-access now, but their developers have moved to 64-bit OS and thus no more IPSec client, and we haven't yet fully implemented SSL VPN for AnyConnect (nor bought more than the 2 default licenses).

I guess we'll try out a keep-alive.

Thanks for the quick reply.

Community Member

Re: policy-nat L2L VPN remote initiates tunnel

AnyConnect Essential licensing is available now for the ASA5505 $100 for 25 and 5510 $100 for 250 - you do lose the pure SSL clientless connectivity though.

AnyConnect works with 64-bit

see http://www.cisco.com/en/US/customer/docs/security/asa/asa80/license/license80.html#wp86066 and http://www.cisco.com/en/US/customer/docs/security/asa/asa82/license/license82.html#wp170910 for more.

Community Member

Re: policy-nat L2L VPN remote initiates tunnel

Yeah, I've been messing with AnyConnect since I use 64-bit at home and also on my company laptop now. I like it a lot, and the clientless is very appealing for users who just need web or file share access. We just haven't had the time to fully explore it, set up dynamic access policies, etc. Maybe now is that time. :)

147
Views
0
Helpful
7
Replies
CreatePlease to create content