10-02-2008 10:00 AM - edited 03-03-2019 11:46 PM
I have an ASA 5520.I have about 25 sites and i would like to set up easy vpn with the asa as a server.The client sites are having 800,1700,2801,3660 series routers.
How could i define multiple tunnels on the asa in easy vpn client mode configuration ?
Can someone provide a sample config ?
Thanks.
Solved! Go to Solution.
10-02-2008 10:34 AM
Hi,
I hope the below URLs help.
PIX/ASA 7.x Easy VPN with an ASA 5500 as the Server and PIX 506E as the Client (NEM) Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml
PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
Regards,
Arul
** Please rate all helpful posts **
10-02-2008 11:57 AM
Hi,
The Ipsec configuration on the EasyVPN server side should need 2 changes .
1. You will have to add a "tunnel group" for each site and then associate group policy(split tunnel) specific to each site to it
tunnel-group Group1 general-attributes
default-group-policy GrpPolicy1
tunnel-group Group1 ipsec-attributes
pre-shared-key *
....
....
....
tunnel-group Group2 general-attributes
default-group-policy GrpPolicy2
tunnel-group Group2 ipsec-attributes
pre-shared-key *
2.
Just add traffic to access list no-nat for each of the 20 sites .
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list no-nat
HTH
Saju
pls rate helpful posts
10-03-2008 05:34 AM
Hi,
With Cisco Easy VPN in client mode configuration, the entire LAN behind the Easy VPN client undergoes NAT translation to the IP address that is pushed down by the Easy VPN server. In this mode, there is no need to manage the IP address space in the local LAN behind the remote-access router-the same local IP Dynamic Host Configuration Protocol (DHCP) server pool can be configured on all routers.
When Easy VPN runs in client mode, after the IP Security (IPsec) tunnel is established, a loopback interface is dynamically configured on the spoke and assigned an IP address defined in the Easy VPN server's pool. This pool must be routable to the corporate network.Optionally, you can enable split tunneling on the Easy VPN server, meaning that all noncorporate traffic is sent directly to the Internet.In this case only corporate traffic is routed through the tunnel, thereby lightening the load for the VPN headend.
⢠Client mode-Specifies that Network or Port Address Translation (NAT or PAT) be done so that the PCs and other hosts at the remote end
of the VPN tunnel form a private network that does not use any IP addresses in the IP address space of the destination server.
The server pushes down an IP address to the Easy VPN Client, and all traffic from the client will be internally translated to this address before being encrypted to the Cisco Easy VPN Server.
⢠Network Extension mode-Specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses
that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network.
For most of the configurations of EasyVPN on Cisco website:
http://www.cisco.com/en/US/products/ps6659/prod_configuration_examples_list.html
FAQ on EasyVPN: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html
HTH
Saju
Pls rate helpful posts
10-02-2008 10:34 AM
Hi,
I hope the below URLs help.
PIX/ASA 7.x Easy VPN with an ASA 5500 as the Server and PIX 506E as the Client (NEM) Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml
PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
Regards,
Arul
** Please rate all helpful posts **
10-02-2008 10:50 AM
Thank you.But you mention a situation where we have one client.What about a scenario where we have about 20 remote sites?
Thanks.
10-02-2008 11:57 AM
Hi,
The Ipsec configuration on the EasyVPN server side should need 2 changes .
1. You will have to add a "tunnel group" for each site and then associate group policy(split tunnel) specific to each site to it
tunnel-group Group1 general-attributes
default-group-policy GrpPolicy1
tunnel-group Group1 ipsec-attributes
pre-shared-key *
....
....
....
tunnel-group Group2 general-attributes
default-group-policy GrpPolicy2
tunnel-group Group2 ipsec-attributes
pre-shared-key *
2.
Just add traffic to access list no-nat for each of the 20 sites .
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list no-nat
HTH
Saju
pls rate helpful posts
10-03-2008 12:38 AM
Thanks.
1-I thought that nat is done only in client mode of operation.
2-If i were using client mode would i need to define pool of addresses for clients at the server side ?
The remote sites are using different network address spaces(like 10.13.10.0,10.13.11.0,10.13.12.0 etc)
Which mode (client or nem) do you think appropriate ?
Thanks
10-03-2008 05:34 AM
Hi,
With Cisco Easy VPN in client mode configuration, the entire LAN behind the Easy VPN client undergoes NAT translation to the IP address that is pushed down by the Easy VPN server. In this mode, there is no need to manage the IP address space in the local LAN behind the remote-access router-the same local IP Dynamic Host Configuration Protocol (DHCP) server pool can be configured on all routers.
When Easy VPN runs in client mode, after the IP Security (IPsec) tunnel is established, a loopback interface is dynamically configured on the spoke and assigned an IP address defined in the Easy VPN server's pool. This pool must be routable to the corporate network.Optionally, you can enable split tunneling on the Easy VPN server, meaning that all noncorporate traffic is sent directly to the Internet.In this case only corporate traffic is routed through the tunnel, thereby lightening the load for the VPN headend.
⢠Client mode-Specifies that Network or Port Address Translation (NAT or PAT) be done so that the PCs and other hosts at the remote end
of the VPN tunnel form a private network that does not use any IP addresses in the IP address space of the destination server.
The server pushes down an IP address to the Easy VPN Client, and all traffic from the client will be internally translated to this address before being encrypted to the Cisco Easy VPN Server.
⢠Network Extension mode-Specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses
that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network.
For most of the configurations of EasyVPN on Cisco website:
http://www.cisco.com/en/US/products/ps6659/prod_configuration_examples_list.html
FAQ on EasyVPN: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html
HTH
Saju
Pls rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide