Solved

Cisco ASA Dynamic VPN

Posted on 2014-03-18
13
451 Views
Last Modified: 2014-08-29
Hi,

I am wondering if anybody has come up up with a cleaver solution to this problem?

Scenario:
1. We have a main HUB with ~35 VPNs to different customers.
2. We have one customer who have a Cisco ASA behind an ADSL router with dynamic IP so we must configure it with a dynamic VPN cryptomap in our HUB.
3. VPN is IPSec Site to Site
4. Tunnel work just fine.

The problem is rather that the tunnel is not setup automatically, it requires "interesting traffic" to pass before the tunnel is established.
Is there any way to make it connect automatically?

I tried to configure the customer ASA with "Originate Only" but then I received errors in the HUB where the customer ASA was trying to setup a tunnel for <CustomerASA Local IP 192.168.0.11> and <Main HUB Public IP> which did not match any crypto map.

I also tried to set up an IP SLA but that did not generate the sufficient traffic. Though, issuing a ping from the customer ASA to our office did get the tunnel going ("ping inside 192.168.0.1" for example).

Would be nice to see if anybody have found a solution to this :-)

Cheers!
0
Comment
Question by:MarcusSjogren
  • 7
  • 6
13 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39950636
My solution was to set up an automated polling engine at the remote site, such as What's Up Gold or similar running as a service on an internal server.

A side benefit is that it can sent alert E-mails.  (Best if they have an internal mail server.  External mail servers are often unavailable due to the same outage causing the VPN to fail.)
0
 
LVL 4

Author Comment

by:MarcusSjogren
ID: 39952945
Thanks for your suggestion Asavener, but we currently don't have any server there who can do the polling for us.
Therefore I tried to do it via IP SLA but that did not seem to generate interesting traffic to setup the tunnel.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39953083
Does the SLA entry show as up when the VPN is connected and down when the VPN is disconnected?

If I recall correctly, the IP SLA does not allow you to specify a source IP address.  You might need to edit the VPN access list to include ICMP, source outside IP, destination inside IP at VPN endpoint.
0
 
LVL 4

Author Comment

by:MarcusSjogren
ID: 40138184
asavener:

Hmm - I was farily sure I responded to your answer, but obviously not.

Anyhow - yes, it does show up and down and ICMP is allowed. However - my understanding is that the Cisco ASA cannot generate "Interesting traffic" on its own, it has to be generated from the local LAN. I dont understand why but that seems to be the case.

I dont think that what I want to do is possible.
0
 
LVL 4

Author Comment

by:MarcusSjogren
ID: 40138185
0
 
LVL 28

Expert Comment

by:asavener
ID: 40139147
The ASA can definitely produce interesting traffic, but the source address will be the outside interface.  So you have to edit the VPN access list and ONLY include traffic with the correct source and destination addresses.  (For example, if you include the outside interface address and the peer address, the VPN will attempt to tunnel its own traffic.)
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 4

Author Comment

by:MarcusSjogren
ID: 40139156
I have indeed tried to create interesting traffic by using IP SLA with correct source IP etc. but that does not seem to be interesting to put inside the VPN tunnel anyway.
0
 
LVL 28

Expert Comment

by:asavener
ID: 40139165
Did you create a matching traffic ACL on the other end of the VPN?
0
 
LVL 4

Author Comment

by:MarcusSjogren
ID: 40139175
Are you referring to crypto map acl or normal acl?

The crypto map is the full subnets:

Site A:
192.168.0.0/24 (inside) -> 192.168.1.0/24 (Site B)

Site B:
192.168.1.0/24 (inside) -> 192.168.0.0/24 (Site A)
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 40139243
OK.  You will need to add a range that matches the possible outside interface addresses of the ASA with the dynamic address.

For example, if the ASA with the dynamic address is Site B:

Site A:
192.168.0.0/24 -> 192.168.1.0/24
192.168.0.0/24->  208.1.1.0/24

Site B:
192.168.1.0/24 -> 192.168.0.0/24
208.1.1.0/24 -> 192.168.0.0/24


Then you set up your IP SLA monitor on Site B, so that it periodically pings a 192.168.0.0/24 address.
0
 
LVL 4

Author Comment

by:MarcusSjogren
ID: 40139250
Hi,

OK - that sounds strange, since I have configured the IP SLA to use a specific source address. But I will see if I can manage to make some tests some day :)
0
 
LVL 28

Expert Comment

by:asavener
ID: 40139338
My experience is that the IP SLA on the ASA is a little squirrely.
0
 
LVL 4

Author Closing Comment

by:MarcusSjogren
ID: 40292432
The resolution marked as an accepted solution works OK, but the IP SLA still does not work as expected as interesting traffic does not seem to be generated by the ASA.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Gmail Account risks 4 79
RDP Sonicwall 8 67
How to make my old USB printer wireless? 71 159
IP Address -- lookup location ? 4 71
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now