Cisco ASA – manually start a VPN tunnel

ciscocisco-asavpn

Using a cisco ASA is it possible manually bring up a lan to lan VPN tunnel & SA from the device, rather than having one of the systems that is part of the VPN initiate traffic to start the VPN?

I'd like to avoid having to trigger a ping on one of the systems in a VPN to start the VPN, to make troubleshooting a bit quicker.

Best Answer

You have to present "interesting traffic" to the ASA. There's no command that would bring up the tunnel without traffic.

Related Solutions

Cisco ASA and static IPv6 tunnel endpoint

I had the same problem, and I've worked it out. Your question helped me greatly, actually. The loopback tunnelling was the trick.

There were significant ASA OS changes, especially with respect to NAT, in the 8.3 release. That's what I'm running, so it's likely the syntax will not work prior to 8.3. I don't know if you could even do this prior to 8.3.

Here's how it's set up. I'll include some configuration snippets below to back this up.

As you, I have an ASA between my edge router and my internal network. I only have one publicly-addressable IPv4 address. I was able to NAT protocol 41 traffic between a specific external host and a specific internal host using the ASA's outside public IP address. The tunnel is terminated on an internal host.

The internal host has two ethernet interfaces. One, connected to the internal network, only runs IPv4. The other, connected to the same segment as the outside interface of the ASA, only runs IPv6. There is also a tunnel interface for the IPv6 tunnel. The configuration of the tunnel came directly from Hurricane Electric's web site. If you have a tunnel configured with them, they can show you detailed configuration instructions for at least 8 different operating systems.

The ASA uses the edge router's IPv4 address as it's default IPv4 route. It uses the IPv6 address of the tunnel endpoint as it's default IPv6 address. Internal hosts use the ASA as their default route for either version, except the tunnel endpoint, which uses its tunnel interface as the default for IPv6.

IPv6 packets go through the ASA twice in each direction. Out, they go through the ASA, to the tunnel endpoint where they are put into the tunnel, and out again through the ASA. Both IPv4 and IPv6 get all of the benefits of the ASA firewall.

The real trick was getting the protocol 41 traffic through the ASA. Here are the pieces that made that work:

object service 6in4
 service 41
object network ipv6_remote_endpoint
 host x.x.x.x
object network ipv6_local_endpoint
 host y.y.y.y

access-list outside_in extended permit object 6in4 object ipv6_remote_endpoint object ipv6_local_endpoint

nat (inside,outside) source static ipv6_local_endpoint interface destination static ipv6_remote_endpoint ipv6_remote_endpoint

Good luck with it!

Rob

Cisco ASA 5505 does not initiate site to site VPN

I would run through these steps:

Before the L2L P2 is up, go ahead and ping an interesting traffic host. If everything is set up correctly, this will initiate the tunnel. Apologies if you already knew that but some do not.
On the ASA, ensure that you have set up a crypto map entry for the interesting traffic. What could be happening, and this is just a guess, but perhaps you do not have the correct crypto map in place and instead when the peer initiates you are establishing using the dynamic crypto map.
Using ASDM you can check out your connection profile and check your setting under Crypto Map and make sure that it is on "Bidirectional" rather than "answer only"
Finally, make sure that is not your peer that is the issue.

Best Answer

Related Solutions

Cisco ASA and static IPv6 tunnel endpoint

Cisco ASA 5505 does not initiate site to site VPN

Related Topic