Easy vpn pix 506 ASA 5510 with only preshare key

Unanswered Question
Sep 11th, 2009


I have a question: I have 2 sites: Site A with a PIX 506 as a easy vpn client and site B with a PIX 515 as a easy vpn server . Both running 6.3 IOS.

I plan to replace the Pix 515 with a ASA 5510 running IOS version 8,x.

The setup of the vpn client is

vpnclient server xxx.xxx.xxx.xxx

vpnclient mode network-extension-mode

vpnclient vpngroup xxxx password xxxx

vpnclient enable

The easy vpn server is :

vpngroup xxxx address-pool ippool

vpngroup xxxx dns-server xxx.xxx.xxx.xxx

vpngroup xxxx default-domain xxx.com

vpngroup xxxx split-tunnel xxx

vpngroup xxxx idle-time 86400

As you see, there is no user needed, the client connect with only the preshare key.

I try to duplicate with my ASA:

access-list ezvpn1 extended permit ip any xxxxxx

group-policy myGROUP internal

group-policy myGROUP attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ezvpn1

secure-unit-authentication disable

nem enable


crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 30 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group acces_strom type ipsec-ra

tunnel-group acces_strom general-attributes

default-group-policy myGROUP

tunnel-group xxxxxx ipsec-attributes

pre-shared-key xxxxxx

Can I configure the easy vpn server on my ASA to only use the preshare key? It require a username. Or add a user on my easy vpn client configuration.

Can I configure the pix 506 as a easy vpn server, I will open a vpn session then add the user in the config? I don't want to down the vpn between the 2 site, The remote site is 3 hour from here.

I will replace the 506 with the 515 in the future and configure a L2L vpn.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jouelle666 Tue, 09/15/2009 - 05:06


Can I configure pix 506 as an easy vpn server and access it remotely even if it is already configured as an easy vpn client and connected to my pix 515?

jouelle666 Thu, 09/24/2009 - 12:37

I have the read the PIX/ASA 7.x Easy VPN with an ASA 5500 as the Server and PIX 506E as the Client (NEM) Configuration Example


I saw the example PIX-to-PIX 6.x: Easy VPN (NEM) Configuration Example


That is like my actual pix to pix configuration.

But can I configure my ASA 5510 as a easy vpn server without the user authentication?


This Discussion