ASA 5505 + EZVPN Client

Unanswered Question
Sep 5th, 2014
User Badges:

Good day all,

this is my network setup in one of our branch office.

LAN ---- inside(​192.168.44.1) ASA outside(10.103.1.159) ---- ISP

The ISP is doing NAT and give us a IP via DHCP (PPPoE dial-in).
Now we want to set up the branch ASA to act as EZVPN client. 
But when I add the config for example this one:

vpnclient server xxx.xxx.xxx.xxx
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup eznemgroup password eznemgrouppass 
vpnclient username eznemuser1 password eznemuser1pass
vpnclient enable

 

We loss Internet connectivity after the last command << vpnclient enable >>.
Problem is that we can only configure the ASA remotely. 

Is this a normal behaviour for VPN client setup? I found nothing in the documentation?

Thanks for your feedback!
Brgds,
Markus 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Raja Periyasamy Mon, 09/15/2014 - 09:22
User Badges:
  • Cisco Employee,

Did you enable split tunnel on the EZVPN server?

Also you could use a dynamic site to site vpn configuration instead of EZvpn as that would make configuration and troubleshooting much more easier and you will not loose internet on the remote ASA as the crypto ACLs will be defined locally and not pushed from the server.

 

Marius Gunnerud Mon, 09/15/2014 - 10:47
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

If you don't want to or can not configure split tunneling then you will need to configure hairpinning on the ezvpn server for internet traffic.

--

Please remember to select a correct answer and rate helpful posts

Markus Demmert Thu, 11/06/2014 - 00:23
User Badges:

Hi Guys,

still struggling with the EZVPN setup.
This is instantaneous setup at the moment.

LAN ---- inside-(​192.168.44.1) ASA outside-(DHCP private IP) ---- (private IP)-ISP Router-(public IP)

The ISP blocks UDP/500 and UDP/4500 so there is no way to setup a site-2-site VPN via IPsec.
So we tried to setup the ASA5505 as EZVPN client and configured to use TCP over IPsec. But without success. I think the problem is the private IP on our outside interface. Has someone face the same problem?

Thanks Markus

Actions

This Discussion