We want to do the following:
1) Deploy several asa5505 that are behind a NAT router that has a dhcp public ip. (we dont have control over the internet connection at the sites).
So the asa's have a private ip (192.168.0.107) like every other pc on that network.
2) I would like to use easyvpn to connect, but the 5505's will only have one network connection
3) The pc's will get a static route for a certain subnet (220.127.116.11/24) that points to the 5505 that should send it over the tunnel.
4) I am able to connect with easyvpn with only one interface (I have shut one of them -> with highest security level)
5) I can ping to the specific ip and see it leave over the tunnel but when I ping from another host in the netwerk the asa wont put it on the tunnel
After some investigation I find that after easyvpn connects the asa uses the following acl to determine what to send over the tunnel:
access-list _vpnc_acl extended permit ip host 192.168.0.107 18.104.22.168 255.255.255.0
So if I can have that changed to 'access-list _vpnc_acl extended permit ip 192.168.0.0 255.255.255.0 22.214.171.124 255.255.255.0' then the pings from the other pc's should also go over the tunnel.
However I can not change this acl because it is reserved. (ERROR: _vpnc_acl contains a reserved access list name. It cannot be manually configured)
Is there a way I can push this acl from the ASA5520 that is the easy vpn server?