ASA EzVPN with multiple remote subnets

Answered Question
Jun 24th, 2009

Hi everyone

I am having the challenge of installing EasyVPN based on ASA 5520 and ASA 5505 (with the ASA5505 as the vpnclient) with multiple networks behind the ASA 5505.

Access from the network attached directly on the 5505 to the central site works just fine.

But the second network-segment (which is behind a router on the directly-attached network) cannot connect to the central site.

I guess i have to specify some kind of acl's to be able to do this.

Btw we do not use split-tunneling, because all traffic is traveling through the tunnel (no local internet access).

The Layout looks like this

(--LAN--)-5520-- -(WAN)- --5505-(--LAN1--)-ROUTER-(--LAN2--)

Connection from LAN1 to LAN does work splendid through the EZVPN Tunnel.

Connection from LAN2 to LAN does not work through the EZVPN Tunnel.

Here is the config used so far (besides the normal NONAT, Object-Groups, crypto and ISAKMP stuff):

Client:

vpnclient server 10.x.x.x

vpnclient mode network extension-mode

vpnclient vpngroup EzVPN password ****

vpnclient username user1 password ****

vpnclient enable

crypto ipsec df-bit clear-df outside

Server:

group-policy EzVPN internal

group-policy EzVPN attributes

nem enable

password-storage enable

tunnel-group EzVPN type ipsec-ra

tunnel-group EzVPN general attributes

default-group-policy EzVPN

tunnel-group EzVPN ipsec-attributes

pre-shared-key ****

user user1 password ***

I hope you can help

Best Regards

Jarle

I have this problem too.
0 votes
Correct Answer by Todd Pula about 7 years 5 months ago

Unfortunately, this is not supported on the ASA platform. With EasyVPN on the ASA, only connected networks can be advertised. To accomplish what you want to do, you will need to configure a static IPSec tunnel and advertise the local networks via interesting traffic ACL. Alternatively, you could use an IOS device which does have "multiple subnet" capabilities with EasyVPN.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html#wp1098057

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Todd Pula Wed, 06/24/2009 - 12:28

Unfortunately, this is not supported on the ASA platform. With EasyVPN on the ASA, only connected networks can be advertised. To accomplish what you want to do, you will need to configure a static IPSec tunnel and advertise the local networks via interesting traffic ACL. Alternatively, you could use an IOS device which does have "multiple subnet" capabilities with EasyVPN.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html#wp1098057

jsteffensen Wed, 06/24/2009 - 13:02

Hi everybody.

This is not supported. It is a limitation to the ASA - > Use any EzVPN Router.

Greetings

Jarle

Actions

This Discussion