I have an ASA 5520.I have about 25 sites and i would like to set up easy vpn with the asa as a server.The client sites are having 800,1700,2801,3660 series routers.
How could i define multiple tunnels on the asa in easy vpn client mode configuration ?
Can someone provide a sample config ?
With Cisco Easy VPN in client mode configuration, the entire LAN behind the Easy VPN client undergoes NAT translation to the IP address that is pushed down by the Easy VPN server. In this mode, there is no need to manage the IP address space in the local LAN behind the remote-access router-the same local IP Dynamic Host Configuration Protocol (DHCP) server pool can be configured on all routers.
When Easy VPN runs in client mode, after the IP Security (IPsec) tunnel is established, a loopback interface is dynamically configured on the spoke and assigned an IP address defined in the Easy VPN server's pool. This pool must be routable to the corporate network.Optionally, you can enable split tunneling on the Easy VPN server, meaning that all noncorporate traffic is sent directly to the Internet.In this case only corporate traffic is routed through the tunnel, thereby lightening the load for the VPN headend.
â¢ Client mode-Specifies that Network or Port Address Translation (NAT or PAT) be done so that the PCs and other hosts at the remote end
of the VPN tunnel form a private network that does not use any IP addresses in the IP address space of the destination server.
The server pushes down an IP address to the Easy VPN Client, and all traffic from the client will be internally translated to this address before being encrypted to the Cisco Easy VPN Server.
â¢ Network Extension mode-Specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses
that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network.
For most of the configurations of EasyVPN on Cisco website:
Pls rate helpful posts
The Ipsec configuration on the EasyVPN server side should need 2 changes .
1. You will have to add a "tunnel group" for each site and then associate group policy(split tunnel) specific to each site to it
tunnel-group Group1 general-attributes
tunnel-group Group1 ipsec-attributes
tunnel-group Group2 general-attributes
tunnel-group Group2 ipsec-attributes
Just add traffic to access list no-nat for each of the 20 sites .
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list no-nat
pls rate helpful posts
I hope the below URLs help.
PIX/ASA 7.x Easy VPN with an ASA 5500 as the Server and PIX 506E as the Client (NEM) Configuration Example
PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example
** Please rate all helpful posts **