cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
497
Views
0
Helpful
3
Replies

ASA 5505 + EZVPN Client

MaDe
Level 1
Level 1

Good day all,

this is my network setup in one of our branch office.

LAN ---- inside(​192.168.44.1) ASA outside(10.103.1.159) ---- ISP

The ISP is doing NAT and give us a IP via DHCP (PPPoE dial-in).
Now we want to set up the branch ASA to act as EZVPN client. 
But when I add the config for example this one:

vpnclient server xxx.xxx.xxx.xxx
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup eznemgroup password eznemgrouppass 
vpnclient username eznemuser1 password eznemuser1pass
vpnclient enable

 

We loss Internet connectivity after the last command << vpnclient enable >>.
Problem is that we can only configure the ASA remotely. 

Is this a normal behaviour for VPN client setup? I found nothing in the documentation?

Thanks for your feedback!
Brgds,
Markus 

 

3 Replies 3

Raja Periyasamy
Level 1
Level 1

Did you enable split tunnel on the EZVPN server?

Also you could use a dynamic site to site vpn configuration instead of EZvpn as that would make configuration and troubleshooting much more easier and you will not loose internet on the remote ASA as the crypto ACLs will be defined locally and not pushed from the server.

 

If you don't want to or can not configure split tunneling then you will need to configure hairpinning on the ezvpn server for internet traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Guys,

still struggling with the EZVPN setup.
This is instantaneous setup at the moment.

LAN ---- inside-(​192.168.44.1) ASA outside-(DHCP private IP) ---- (private IP)-ISP Router-(public IP)

The ISP blocks UDP/500 and UDP/4500 so there is no way to setup a site-2-site VPN via IPsec.
So we tried to setup the ASA5505 as EZVPN client and configured to use TCP over IPsec. But without success. I think the problem is the private IP on our outside interface. Has someone face the same problem?

Thanks Markus

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: