Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Initiator Question

Is it possible to have VPN tunnel set up as VPN initiator while having only one host be set as both initiator and receiver?

For example:

All hosts in 10.10.0.0/18 are permitted over the tunnel.  However there's one host 10.10.50.50(DNS Server) which needs to be set as bi-directional.

Also if this is possible would it apply to both Site to Site and Client to Site VPN's?

ASA Config:

5510 running 8.0(5) also has High Availability configured

Thanks

Everyone's tags (3)
1 REPLY
New Member

Re: VPN Initiator Question

Hi,

If you review the basics of the VPN it may answer your question.

Crypto-map= identifies interesting traffic to initiate VPN

ACL= identifies what can communicate across the VPN, if enabled in crypto and disabled in ACL. It ain't happening

You wish to allow a subnet so the traffic has to be matched in the crypto to initiate the tunnel. The traffic then also matched by the acl is then allowed. If you wish you can consider this a double acl. If you do not match both, then you won't get through. All hosts matching will initiate the tunnel.

In summary, if you wish to allow a single host to initiate a 2-way VPN and then allow traffic in both directions.

The answer as I understand it is, No

Sent from Cisco Technical Support iPad App

382
Views
0
Helpful
1
Replies