Thanks for the help! I will put the configurations up in a few and give it a whirl!

IOS on the 1811 is 12.4(6)T7.

Craig

Setting up the xauth to local and definind a user/pw worked great! Thanks for the help.

But I'm having another issue, there is definately something wrong with my configuration.

The tunnel is up and active, and from my internal network I can ping the remote default-gateway, but I cannot ping the host on the other side of the default gateway. I have checked routing on my cores and the VPN ASA. I can see the correct network range from the ASA as well:

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 10, local addr: 192.168.20.11

local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.127.129.0/255.255.255.128/0/0)

current_peer: XX.XX.XX.XX, username: GRPNAME

dynamic allocated peer ip: 0.0.0.0

From the above output you can see it's matching the 10.127.129.0/25 netowrk.

Here is the config:

group-policy DfltGrpPolicy attributes

dns-server value 10.64.10.1 10.64.10.2

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

split-dns value xxxxx.net

nem enable

tunnel-group EZ type remote-access

tunnel-group EZ ipsec-attributes

pre-shared-key *

I can set these up all day as static entries, and I have VPN clients remoting in just fine, just not this EZVPN setup.

Thanks,

Craig

for the ezvpn tunnel group, do you have the following command:

isakmp ikev1-user-authentication none

I was an idiot, I had my NAT wrong on the VPN clinet router. I was allowing all communication sourced from the remote network to be NAT'd (worked well for internet access) but it was also NAT'ing the traffic destined to the VPN tunnel.

Thanks for the help,

Craig