Easy VPN along with IPSec L2L(Site-to-Site) VPN in the same ASA 5505

Answered Question
Jun 4th, 2012

Hi Experts,

We have an ASA 5505 in our environment and currently two IPSec L2L VPN tunnels are established. But we are planning to connect using Easy VPN(Network Extension Mode) to another site as Client. Is it possible to configure Easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible are there any work around?

Following is the warning that we get when tried to configure Easy VPN Client.

NOCMEFW1(config)# vpnclient enable

* Remove "nat (inside) 0 S2S-VPN"

* Detach crypto map attached to interface outside

* Remove user-defined tunnel-groups

* Remove manually configured ISA policies

CONFIG CONFLICT: Configuration that would prevent successful Cisco Easy VPN Remo

te

operation has been detected, and is listed above. Please resolve the

above configuration conflict(s) and re-enable.

Thanks and Regards

Anup Sasikumar

I have this problem too.
0 votes
Correct Answer by rizwanr74 about 1 year 10 months ago

"Dynamic crypto map needs to be setup on the Server device ?"

Yes, dynamic crypto is setup on the EasyVPN Server side.

thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (2 ratings)
rizwanr74 Mon, 06/04/2012 - 11:04

Hi Anup,

the site which hosting the EasyVPN Server is also under your administratation as well?

If I were you, I setup daynamic L2L tunnel on the Server ASA (assuming your remote end is an ASA hosting EasyVPN Server), which will work like an EasyVPN server and your remote hardware vpn-client still can be configured like static-tunnel to Dyamic L2L tunnel.

My understanding is, you cannot static-tunnels configured while being a EasyVPN client for EasyVPN server.

Hope that make sense.

thanks

Rizwan Rafeek

anupsasikumar Mon, 06/04/2012 - 12:30

Hi Rizwan ,

Thanks for your helpful response.

The Easy VPN Server end is not under our administration and we think it is a Router most probably.

The device at our end is an ASA 5505 which currently has 2 Site to Site VPN tunnels with a static crypto map on the outside interface. And we get the error mentioned above when trying to configure ASA 5505 as the Easy VPN Client.

Dynamic crypto map needs to be setup on the Server device ?

Regards,

Anup

Correct Answer
rizwanr74 Mon, 06/04/2012 - 12:39

"Dynamic crypto map needs to be setup on the Server device ?"

Yes, dynamic crypto is setup on the EasyVPN Server side.

thanks

anupsasikumar Tue, 06/05/2012 - 06:28

Hi Rizwan,

Thanks for the reply !

Due to practical difficulties , asking for a Dynamic Crypto map to be setup at Easy VPN Server end was not possible.

So we had a second ASA 5505 which we erased to factory defaults and configured it to be setup as Easy VPN client just for that remote site.

Thank you

Regards,

Anup 

teddy.obiora Fri, 06/08/2012 - 11:42

Hi Anup,

I have had the priviledge of configuring both Site-to-Site and EzVPN on the same ASA 5505 and it works perfectly even as we speak, but what i can't verify is using a hardware client for it. But i guess it should work, going by what is meant to be.

But i have a question to ask you, have you found out what kind of Router they have there? if it could do S2S vpn? if it is why not go ahead and slam another S2S on it, rather than having to do EzVPN.

That's just my two cent about the whole setup.

anupsasikumar Sat, 06/09/2012 - 06:08

Hi Teddy,

Thats great. So it 's Site to Site VPN and an Easy VPN Client on the same ASA5505 ?

We don 't have an idea of the router at their end and Site to Site VPN is defintely an option which I am also more comfortable with . But they have the upper hand ! (Sigh ! )

Regards ,

Anup

Actions

Login or Register to take actions

This Discussion

Posted June 4, 2012 at 10:40 AM
Stats:
Replies:6 Avg. Rating:4
Views:2022 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard