Easy VPN along with IPSec L2L(Site-to-Site) VPN in the same ASA 5505

Answered Question
Jun 4th, 2012
User Badges:

Hi Experts,

We have an ASA 5505 in our environment and currently two IPSec L2L VPN tunnels are established. But we are planning to connect using Easy VPN(Network Extension Mode) to another site as Client. Is it possible to configure Easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible are there any work around?

Following is the warning that we get when tried to configure Easy VPN Client.

NOCMEFW1(config)# vpnclient enable

* Remove "nat (inside) 0 S2S-VPN"

* Detach crypto map attached to interface outside

* Remove user-defined tunnel-groups

* Remove manually configured ISA policies

CONFIG CONFLICT: Configuration that would prevent successful Cisco Easy VPN Remo


operation has been detected, and is listed above. Please resolve the

above configuration conflict(s) and re-enable.

Thanks and Regards

Anup Sasikumar

Correct Answer by rizwanr74 about 5 years 1 month ago

"Dynamic crypto map needs to be setup on the Server device ?"

Yes, dynamic crypto is setup on the EasyVPN Server side.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
rizwanr74 Mon, 06/04/2012 - 11:04
User Badges:
  • Gold, 750 points or more

Hi Anup,

the site which hosting the EasyVPN Server is also under your administratation as well?

If I were you, I setup daynamic L2L tunnel on the Server ASA (assuming your remote end is an ASA hosting EasyVPN Server), which will work like an EasyVPN server and your remote hardware vpn-client still can be configured like static-tunnel to Dyamic L2L tunnel.

My understanding is, you cannot static-tunnels configured while being a EasyVPN client for EasyVPN server.

Hope that make sense.


Rizwan Rafeek

Anup Sasikumar Mon, 06/04/2012 - 12:30
User Badges:

Hi Rizwan ,

Thanks for your helpful response.

The Easy VPN Server end is not under our administration and we think it is a Router most probably.

The device at our end is an ASA 5505 which currently has 2 Site to Site VPN tunnels with a static crypto map on the outside interface. And we get the error mentioned above when trying to configure ASA 5505 as the Easy VPN Client.

Dynamic crypto map needs to be setup on the Server device ?



Correct Answer
rizwanr74 Mon, 06/04/2012 - 12:39
User Badges:
  • Gold, 750 points or more

"Dynamic crypto map needs to be setup on the Server device ?"

Yes, dynamic crypto is setup on the EasyVPN Server side.


Anup Sasikumar Tue, 06/05/2012 - 06:28
User Badges:

Hi Rizwan,

Thanks for the reply !

Due to practical difficulties , asking for a Dynamic Crypto map to be setup at Easy VPN Server end was not possible.

So we had a second ASA 5505 which we erased to factory defaults and configured it to be setup as Easy VPN client just for that remote site.

Thank you



Azubuike Obiora Fri, 06/08/2012 - 11:42
User Badges:

Hi Anup,

I have had the priviledge of configuring both Site-to-Site and EzVPN on the same ASA 5505 and it works perfectly even as we speak, but what i can't verify is using a hardware client for it. But i guess it should work, going by what is meant to be.

But i have a question to ask you, have you found out what kind of Router they have there? if it could do S2S vpn? if it is why not go ahead and slam another S2S on it, rather than having to do EzVPN.

That's just my two cent about the whole setup.

Anup Sasikumar Sat, 06/09/2012 - 06:08
User Badges:

Hi Teddy,

Thats great. So it 's Site to Site VPN and an Easy VPN Client on the same ASA5505 ?

We don 't have an idea of the router at their end and Site to Site VPN is defintely an option which I am also more comfortable with . But they have the upper hand ! (Sigh ! )

Regards ,



This Discussion

Related Content