ASA 5510 Dynamic VPN problem.

Cybervex3 · ‎04-20-2015

I have a few dynamic IPSEC tunnels setup for our mobile offices which connect through various data cards.

Here at the main office I have multiple VLANs. 10.10.0.0 LAN, 10.13.0.0 WiFi, 10.9.0.0 AnyConnect clients. One of the mobile offices has an network of 192.168.2.0. When the mobile office is connected via VPN only network 10.10.0.0 can access the the remote office initially. If someone at the mobile office pings a user on the 10.13.0.0 VLAN then all 10.13.0.0 devices can traverse the tunnel.

When I view the session details of the tunnel when it is first created I see only one IPsecOverNatT created for 10.10.0.0. After someone at the remote office ping a user on 10.13.0.0 the session details contain the additional IPsecOverNatT for 10.13.0.0

Is there any way to force the connection to setup the IPsecOverNatT for each network on connect?

rizwanr74 · ‎04-22-2015

That is a setback of dynamic tunnel, it behaves like a remote-access vpn-client. Only remote vpn-end-point can initiate traffic to destination network at first and only after remote-tunnel end-point initiated the traffic to the your local-subnet, only then the traffic flow becomes available both ways.

Traffic cannot flow first from your local-subnet to remote vpn-end points but only other way around.

Or you create a GRE over IPSec, between your remote-end-points and local subnet switch and establish EIGRP neighbor over GRE over IPSec.

in which case, your remote tunnel-end point becomes a routing peer.

Hope this answers your question.

thanks