topic Sla from a specific IP in Network Security

Sla from a specific IP

Will Phinney — Tue, 12 Mar 2019 06:06:18 GMT

Good morning everyone,

I'm having an issue with a cloud provider that will not allow traffic to be initiated from their end on a certain SA.I did the debug 1(27) and see my ASA reaching out and them essentially timing out. I've read about this and even TAC confirmed what I was seeing, so the only fix is to initiate a ping from the box itself as I'm only allowing one specific host to this cloud, as it runs through a hub and spoke VPN. The box in question is a linux box that I don't have access to, so if it were ever to stop then that SA would come down. I was thinking about doing an SLA from the far end ASA, but I you can't do a specific source SLA on an ASA, correct? I realize I could open it up to the entire range, but was wondering if anyone had any thoughts on this?

Thanks!

Hi Will,I think as per the

Vibhor Amrodia — Sun, 14 Jun 2015 01:48:39 GMT

Hi Will,

I think as per the requirement , you want the traffic to be initiated from the ASA outside interface for the tunnel to stay up. I think if you configure the SLA in the Outside interface that should generate the necessary ICMP request to keep the tunnel UP and you can change destination as the VPN peer.

Thanks and Regards,

Vibhor Amrodia

Right, but that's assuming I

Will Phinney — Mon, 15 Jun 2015 14:26:02 GMT

Right, but that's assuming I'm allowing all traffic from a certain segment. For example, if I'm only NAT'ing a specific host, say 10.13.20.5 to 10.5.0.0, then I would have to open up to all of 10.13.20.x/24 as I don't believe there is a way to setup an SLA to source from just 10.13.20.5,correct?