Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EzVPN or Site to Site IPSEC tunnel

PIX 501 at remote sites and PIX 525 in central site. What's the difference between a EzVPN and Site-to-Site VPN tunnel?

Which is the best method to use?

Cisco Employee

Re: EzVPN or Site to Site IPSEC tunnel

If you don't need to contact each of the machines behind each 501 from the central site, then just use EzVPN in client mode, it simplifies the configuration on both devices (especially the head end) significantly.

If you do need to contact each individual machine behind the 501's, you can use either a L2L or EzVPN in Network-Extension mode. Functionally there's really not much difference, but again the config on the head is significantly easier with EzVPN rather than a L2L tunnel

New Member

Re: EzVPN or Site to Site IPSEC tunnel

Each remote site is using a Cable Modem supplied by the ISP so the PIX is using DHCP to get it's outside IP address, in the docs it does say not to use Network-Extension mode if the IP is dynaimcally assigned, wlthough I can't see why.

I want to use some form of xauth for the remote 501's even if it's just a username entry on the head end. As I see it if a 501 is stolen from a remote site then connected elsewhere a VPN connectino will be established to our internal network without the need to supply a username and password. At least using a username entry on the head PIX I could just delete the specific entry for that remote site then the tunnel wouln't comeup.


New Member

Re: EzVPN or Site to Site IPSEC tunnel

If I just throw in a pennyworth.

If you're concerned about the fact that a remote site might succomb to light fingers, if you configure the central pix for ISKMP keys to authenticate the remotes, this might be a workaround for you because when you're told a pix has gone awol, you remove the relevant key.

I appreciate that the IP are dynamic at the remote, but they rarely change and if they do, you could quickly reconfigure the main pix to sort it out, probably after getting a call from a remote saying they can't log into the network.

apologies if I'm leading you up a blind alley here


New Member

Re: EzVPN or Site to Site IPSEC tunnel

I've got IKE working with AAA now, so I've got an account on the ACS server....So I'm nearly there now!