Easy vpn with ASA

Answered Question
Oct 2nd, 2008

I have an ASA 5520.I have about 25 sites and i would like to set up easy vpn with the asa as a server.The client sites are having 800,1700,2801,3660 series routers.

How could i define multiple tunnels on the asa in easy vpn client mode configuration ?

Can someone provide a sample config ?

Thanks.

I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 2 months ago

Hi,

With Cisco Easy VPN in client mode configuration, the entire LAN behind the Easy VPN client undergoes NAT translation to the IP address that is pushed down by the Easy VPN server. In this mode, there is no need to manage the IP address space in the local LAN behind the remote-access router-the same local IP Dynamic Host Configuration Protocol (DHCP) server pool can be configured on all routers.

When Easy VPN runs in client mode, after the IP Security (IPsec) tunnel is established, a loopback interface is dynamically configured on the spoke and assigned an IP address defined in the Easy VPN server's pool. This pool must be routable to the corporate network.Optionally, you can enable split tunneling on the Easy VPN server, meaning that all noncorporate traffic is sent directly to the Internet.In this case only corporate traffic is routed through the tunnel, thereby lightening the load for the VPN headend.

• Client mode-Specifies that Network or Port Address Translation (NAT or PAT) be done so that the PCs and other hosts at the remote end

of the VPN tunnel form a private network that does not use any IP addresses in the IP address space of the destination server.

The server pushes down an IP address to the Easy VPN Client, and all traffic from the client will be internally translated to this address before being encrypted to the Cisco Easy VPN Server.

• Network Extension mode-Specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses

that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network.

For most of the configurations of EasyVPN on Cisco website:

http://www.cisco.com/en/US/products/ps6659/prod_configuration_examples_list.html

FAQ on EasyVPN: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html

HTH

Saju

Pls rate helpful posts

Correct Answer by singhsaju about 8 years 2 months ago

Hi,

The Ipsec configuration on the EasyVPN server side should need 2 changes .

1. You will have to add a "tunnel group" for each site and then associate group policy(split tunnel) specific to each site to it

tunnel-group Group1 general-attributes

default-group-policy GrpPolicy1

tunnel-group Group1 ipsec-attributes

pre-shared-key *

....

....

....

tunnel-group Group2 general-attributes

default-group-policy GrpPolicy2

tunnel-group Group2 ipsec-attributes

pre-shared-key *

2.

Just add traffic to access list no-nat for each of the 20 sites .

access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list no-nat

HTH

Saju

pls rate helpful posts

Correct Answer by ajagadee about 8 years 2 months ago

Hi,

I hope the below URLs help.

PIX/ASA 7.x Easy VPN with an ASA 5500 as the Server and PIX 506E as the Client (NEM) Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

Regards,

Arul

** Please rate all helpful posts **

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
ajagadee Thu, 10/02/2008 - 10:34

Hi,

I hope the below URLs help.

PIX/ASA 7.x Easy VPN with an ASA 5500 as the Server and PIX 506E as the Client (NEM) Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

Regards,

Arul

** Please rate all helpful posts **

kolawole1 Thu, 10/02/2008 - 10:50

Thank you.But you mention a situation where we have one client.What about a scenario where we have about 20 remote sites?

Thanks.

Correct Answer
singhsaju Thu, 10/02/2008 - 11:57

Hi,

The Ipsec configuration on the EasyVPN server side should need 2 changes .

1. You will have to add a "tunnel group" for each site and then associate group policy(split tunnel) specific to each site to it

tunnel-group Group1 general-attributes

default-group-policy GrpPolicy1

tunnel-group Group1 ipsec-attributes

pre-shared-key *

....

....

....

tunnel-group Group2 general-attributes

default-group-policy GrpPolicy2

tunnel-group Group2 ipsec-attributes

pre-shared-key *

2.

Just add traffic to access list no-nat for each of the 20 sites .

access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list no-nat

HTH

Saju

pls rate helpful posts

kolawole1 Fri, 10/03/2008 - 00:38

Thanks.

1-I thought that nat is done only in client mode of operation.

2-If i were using client mode would i need to define pool of addresses for clients at the server side ?

The remote sites are using different network address spaces(like 10.13.10.0,10.13.11.0,10.13.12.0 etc)

Which mode (client or nem) do you think appropriate ?

Thanks

Correct Answer
singhsaju Fri, 10/03/2008 - 05:34

Hi,

With Cisco Easy VPN in client mode configuration, the entire LAN behind the Easy VPN client undergoes NAT translation to the IP address that is pushed down by the Easy VPN server. In this mode, there is no need to manage the IP address space in the local LAN behind the remote-access router-the same local IP Dynamic Host Configuration Protocol (DHCP) server pool can be configured on all routers.

When Easy VPN runs in client mode, after the IP Security (IPsec) tunnel is established, a loopback interface is dynamically configured on the spoke and assigned an IP address defined in the Easy VPN server's pool. This pool must be routable to the corporate network.Optionally, you can enable split tunneling on the Easy VPN server, meaning that all noncorporate traffic is sent directly to the Internet.In this case only corporate traffic is routed through the tunnel, thereby lightening the load for the VPN headend.

• Client mode-Specifies that Network or Port Address Translation (NAT or PAT) be done so that the PCs and other hosts at the remote end

of the VPN tunnel form a private network that does not use any IP addresses in the IP address space of the destination server.

The server pushes down an IP address to the Easy VPN Client, and all traffic from the client will be internally translated to this address before being encrypted to the Cisco Easy VPN Server.

• Network Extension mode-Specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses

that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network.

For most of the configurations of EasyVPN on Cisco website:

http://www.cisco.com/en/US/products/ps6659/prod_configuration_examples_list.html

FAQ on EasyVPN: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html

HTH

Saju

Pls rate helpful posts

Actions

This Discussion