I am having the challenge of installing EasyVPN based on ASA 5520 and ASA 5505 (with the ASA5505 as the vpnclient) with multiple networks behind the ASA 5505.
Access from the network attached directly on the 5505 to the central site works just fine.
But the second network-segment (which is behind a router on the directly-attached network) cannot connect to the central site.
I guess i have to specify some kind of acl's to be able to do this.
Btw we do not use split-tunneling, because all traffic is traveling through the tunnel (no local internet access).
The Layout looks like this
(--LAN--)-5520-- -(WAN)- --5505-(--LAN1--)-ROUTER-(--LAN2--)
Connection from LAN1 to LAN does work splendid through the EZVPN Tunnel.
Connection from LAN2 to LAN does not work through the EZVPN Tunnel.
Here is the config used so far (besides the normal NONAT, Object-Groups, crypto and ISAKMP stuff):
vpnclient server 10.x.x.x
vpnclient mode network extension-mode
vpnclient vpngroup EzVPN password ****
vpnclient username user1 password ****
crypto ipsec df-bit clear-df outside
group-policy EzVPN internal
group-policy EzVPN attributes
tunnel-group EzVPN type ipsec-ra
tunnel-group EzVPN general attributes
tunnel-group EzVPN ipsec-attributes
user user1 password ***
I hope you can help
Unfortunately, this is not supported on the ASA platform. With EasyVPN on the ASA, only connected networks can be advertised. To accomplish what you want to do, you will need to configure a static IPSec tunnel and advertise the local networks via interesting traffic ACL. Alternatively, you could use an IOS device which does have "multiple subnet" capabilities with EasyVPN.