Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN on demand

Status
Not open for further replies.
gurner

gurner

Technical User
Feb 13, 2002
522
US
Here's a quick one, I have a few small systems with a basic ADSL at each. I want to attached 5505s to the inside of the ADSL, have it set to a DMZ device on the DSL or port forwarded to.

Because of bandwidth limitations, I only want it to connect to HO, or send data, when requested by an internal client.

I know with a pc we could set a PPTP or L2TP VPN on the client machine to connect on demand.

Could I set the 5505 to sit idle, and then connect to a remote Head Office 5550, when data was matched to a desination, and disconect when done?

I have only really found pieces on DSL based Demand Dial, over L2TP, to LNS, etc

Thanks

Gurner
 
Sort by date Sort by votes
Gurner-

The overhead of a persistent VPN tunnel between two offices with ASA terminated tunnels is negligible. If there is no traffic destined for either site, then there is no real drain on bandwidth keeping the tunnels live.

That being said, and to directly answer your question, I am personally unaware of any way to on demand trigger the tunnel creation (and subsequent disconnect after traffic has ceased to flow).



Chris Clancy, EnCE CCE

MCITP: Enterprise Messaging
MCITP: Server Administrator

" ... when you can't figure out what the problem is, find out what it isn't.... "

 
Upvote 0 Downvote
Ok, thanks. I thought i'd heard someone say they'd done it (a long while ago)

We were hoping to mitigate the poor DSL service, with multiple providers, and get it to route to whichever, when needed, to create a VPN when needed, rather than have multiple live VPN tunnels.

The Journos find that many continental providers charge different rates for AM/PM usage, with very low monthly allowances, and are thinking of using a BGAN or other service (but which charges for time used) when needed.

Gurner
 
Upvote 0 Downvote
Actually, the ASA will tear down the VPN connection when there is no "interesting" traffic to pass. You must cut down the SA lifetime for both IPSec and ISAKMP. The default is 8 hours. I don't think that I would go shorter than 1 hour. You'll just end up burning CPU cycles to do the tunnel negotiation.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
266
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
280
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
121
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
349
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
86
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top