Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2349
Views
0
Helpful
2
Replies

ASA EzVPN with multiple remote subnets

Go to solution
jsteffensen
Level 1
Level 1

‎06-24-2009 06:30 AM

Hi everyone

I am having the challenge of installing EasyVPN based on ASA 5520 and ASA 5505 (with the ASA5505 as the vpnclient) with multiple networks behind the ASA 5505.

Access from the network attached directly on the 5505 to the central site works just fine.

But the second network-segment (which is behind a router on the directly-attached network) cannot connect to the central site.

I guess i have to specify some kind of acl's to be able to do this.

Btw we do not use split-tunneling, because all traffic is traveling through the tunnel (no local internet access).

The Layout looks like this

(--LAN--)-5520-- -(WAN)- --5505-(--LAN1--)-ROUTER-(--LAN2--)

Connection from LAN1 to LAN does work splendid through the EZVPN Tunnel.

Connection from LAN2 to LAN does not work through the EZVPN Tunnel.

Here is the config used so far (besides the normal NONAT, Object-Groups, crypto and ISAKMP stuff):

Client:

vpnclient server 10.x.x.x

vpnclient mode network extension-mode

vpnclient vpngroup EzVPN password ****

vpnclient username user1 password ****

vpnclient enable

crypto ipsec df-bit clear-df outside

Server:

group-policy EzVPN internal

group-policy EzVPN attributes

nem enable

password-storage enable

tunnel-group EzVPN type ipsec-ra

tunnel-group EzVPN general attributes

default-group-policy EzVPN

tunnel-group EzVPN ipsec-attributes

pre-shared-key ****

user user1 password ***

I hope you can help

Best Regards

Jarle

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Todd Pula
Level 7
Level 7

‎06-24-2009 12:28 PM

Unfortunately, this is not supported on the ASA platform. With EasyVPN on the ASA, only connected networks can be advertised. To accomplish what you want to do, you will need to configure a static IPSec tunnel and advertise the local networks via interesting traffic ACL. Alternatively, you could use an IOS device which does have "multiple subnet" capabilities with EasyVPN.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html#wp1098057

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Todd Pula
Level 7
Level 7

‎06-24-2009 12:28 PM

Unfortunately, this is not supported on the ASA platform. With EasyVPN on the ASA, only connected networks can be advertised. To accomplish what you want to do, you will need to configure a static IPSec tunnel and advertise the local networks via interesting traffic ACL. Alternatively, you could use an IOS device which does have "multiple subnet" capabilities with EasyVPN.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html#wp1098057

0 Helpful

Go to solution
jsteffensen
Level 1
Level 1

‎06-24-2009 01:02 PM

Hi everybody.

This is not supported. It is a limitation to the ASA - > Use any EzVPN Router.

Greetings

Jarle

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents