Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

easy vpn with one interface

We want to do the following:

1) Deploy several asa5505 that are behind a NAT router that has a dhcp public ip. (we dont have control over the internet connection at the sites).

So the asa's have a private ip ( like every other pc on that network.

2) I would like to use easyvpn to connect, but the 5505's will only have one network connection

3) The pc's will get a static route for a certain subnet ( that points to the 5505 that should send it over the tunnel.

4) I am able to connect with easyvpn with only one interface (I have shut one of them -> with highest security level)

5) I can ping to the specific ip and see it leave over the tunnel but when I ping from another host in the netwerk the asa wont put it on the tunnel

After some investigation I find that after easyvpn connects the asa uses the following acl to determine what to send over the tunnel:

access-list _vpnc_acl extended permit ip host

So if I can have that changed to 'access-list _vpnc_acl extended permit ip' then the pings from the other pc's should also go over the tunnel.

However I can not change this acl because it is reserved. (ERROR: _vpnc_acl contains a reserved access list name. It cannot be manually configured)

Is there a way I can push this acl from the ASA5520 that is the easy vpn server?


Re: easy vpn with one interface

You can change the ACL on the ASA but it can not be changed on the easy vpn clinets. Following link may help you