cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
694
Views
5
Helpful
3
Replies

Cisco ASA-ASA Dynamic to Static IPsec Issue

trupeni2012
Level 1
Level 1

we have a typical Dynamic to Static IPsec VPN setup between Site A(Hub) ASA and SiteB(Remote) ASA

The tunnel sets up fine when we initiate traffic from remote side.

Question Once tunnel is setup for a particular IPsec SA (Site B (Host A) to Site A (Server B)) can we initiate from the hub site to setup another totally different IPsec SA (SiteA (Server Y) to Site B(Host A)), or is this not supported and has to be first initiated from the Remote Side.

 

The scenario is we have a monitoring solarwinds at Hub site and would like to monitor Remote Nodes over the dynamic VPN.

1 Accepted Solution

Accepted Solutions

GioGonza
Level 4
Level 4

Hello @trupeni2012

 

Unfortunately, you cannot initiate the traffic from the Hub since you don´t have an ACL for that connection and for that reason you cannot send the traffic through the specific, the only way you can do it is to generate the traffic from the Remote end (Spoke) and after that you should be able to send traffic, in your case monitor with Solarwinds. 

 

There is a way to avoid having a computer on the remote end sending traffic to keep the SA up and you can use your ASA for that with an script (EEM): 

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

 

With this the ASA will send traffic through that specific SA and keep the VPN tunnel for monitoring purposes, also you can set the time for the packets :)

 

HTH

Gio

View solution in original post

3 Replies 3

Bogdan Nita
VIP Alumni
VIP Alumni

The ASA will establish an separate SA for every entry in the crypto-acl and in case of dynamic vpn only the hub can bring up the SA.

I think it is easier to clarify with an example:

access-list CRYPTOMAP-HUB line 1 extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list CRYPTOMAP-HUB line 2 extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0

If only traffic from 192.168.1.1 (Remote) will be initiated SA will come up and then traffic can also be initiated from 10.0.0.1 (Hub) to 192.168.1.1, but you could not initiate traffic from 10.0.0.1 to 192.168.2.1

GioGonza
Level 4
Level 4

Hello @trupeni2012

 

Unfortunately, you cannot initiate the traffic from the Hub since you don´t have an ACL for that connection and for that reason you cannot send the traffic through the specific, the only way you can do it is to generate the traffic from the Remote end (Spoke) and after that you should be able to send traffic, in your case monitor with Solarwinds. 

 

There is a way to avoid having a computer on the remote end sending traffic to keep the SA up and you can use your ASA for that with an script (EEM): 

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

 

With this the ASA will send traffic through that specific SA and keep the VPN tunnel for monitoring purposes, also you can set the time for the packets :)

 

HTH

Gio

Thanks. EEM script the way to go. Thanks all for pointing me in the right direction.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: