Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ezvpn remote client question

with ezvpn remote, you designate an inside ezvpn interface and outside ezvpn interface. When the tunnel is created, a loopback is enabled with ip add from 3000 LAN side. How do i set up routing for this type of setup? In other words, how do i route the packets to use the ip add of the loopback in order for the packets to be tunneled across the ezvpn? Also, If I have NAT, does that take place before or after encryption? How does that affect the ezvpn?

Example scenario


3000 LAN IP Addresses -


vlan 1 interface

ip add

ezvpn inside

ip nat inside


ezvpn inside

ip nat outside

After tunnel is created with 3000, a loopback is enabled with one of the ip addresses given from the 3000.

int loopback1

ip add

Packets from the loopback get sent across the tunnel just fine. Packets from inside ezvpn interface dont go over the tunnel. I believe this is because their addresses are in a different range than the ip add give to the loopback interface so its some sort of routing issue.

so, how do i make the packets fron the ezvpn inside interface get translated into the ip add on the loopback interface (192.168.1.*) in order to go over the tunnel?

I've read the ezvpn documents. they dont really explain the correct details. If ezvpn automatically tunnels traffic from the ezvpn internal to the external, then how are the packets transported across the tunnel? Are they translated into the and transported across the tunnel or are they transported across the tunnel unchanged? If they are transported across the tunnel untranslated, then that would explain why pings dont work from the ezvpn internal interface.

Cisco Employee

Re: ezvpn remote client question


There are three methods you can connect an EzvPN client to the server. (In your case the 871 to the 3000 concentrator).

a. Client Mode

b. Network Extension Mode

c. Network Extension Mode - Plus

In the client mode, you get an IP address assigned to the router which will PAT the interesting traffic going through the tunnel.

In the Network Extension Mode (NEM), you will not get an IP address but use your local subnet on the 871 as the network and SA's will be created from your network to the head end network.

In NEM -plus, you will get an IP address assigned to a loopback interface and also you will get the SA's build for your local subnet on the 871 to the remote subnet on your 3000 concentrator. (Its sort of a hybrid between a & b)

In your case, I believe you are using the third one. If that is the case, the assigned loopback is for the headend device to access the 871 for management purposes.

Note: You can use that loopback interface for PAT so that the local traffic can be sent over through the tunnel but the loopback interface number will change if you disconnect and re-connect after making the NAT to work.

Can you send me the configuration of your 871 router, please.

I think you might have a problem with NAT.

To answer your questions on how the packets are transported, it depends on which mode you are using and how the IPSec SA's are created.



New Member

Re: ezvpn remote client question

I'm using client mode.

The tunnel is coming up and I am getting an ip that is automatically assigned to a loopback interface. When I do an extended ping from the loopback interface, it works fine. When I do extended ping from any other interface, even the vlan1 which is the easyvpn inside interface, it doesnt work either.

I know before the tunnel is established, nat works fine and hosts can get out just fine using NAT.

Since the traffic works fine over the tunnel from the loopback interface, its got to be some problem with routing the packets over the tunnel im assuming. In client mode, do the packets form the inside ezvpn interface travel to loopback, and then over the tunnel. If this doesnt occur and the packets from the ezvpn inside interface automatically go over the tunnel, do they go over unaltered? If so, then this might be why the ping is failing, because the 3000 concentrator doesnt know how to route the packets back to the 871 because obviously the packets on the 871 local lan have different ips than the host on the 3000 LAN side.

Here is my config on the 871.

New Member

Re: ezvpn remote client question

Also, let me make sure i'm getting this right. if you use client mode, then the ezvpn uses PAT to translate the packets over the tunnel. In extension mode, the hosts on the 871 side would get ip addresses from the 3000 LAN side (not just the loopback). Then their packets would just traverse the tunnel without being NAT/PAT'd over.

Cisco Employee

Re: ezvpn remote client question


Guess I am not getting clear to you still about the different modes and operation of the modes.

Please read the link given below:

(Modes of Operation)

The access-list for the NAT configuration should be something like this.

If the internal network on the headend side is 20.20.20.x and your internal network is 10.10.10.x, then the NAT ACL should be.

access-l 100 deny ip

access-l 100 per ip any

Then apply this ACL 100 to the NAT statement for overload.

See if this works.



New Member

Re: ezvpn remote client question

Yea, I've read this article several times.

I am using client mode. According to client mode, it should work like this taken directly from that link.

?Client?Specifies that NAT or PAT be done so that the PCs and other hosts at the remote end of the VPN tunnel form a private network that does not use any IP addresses in the IP address space of the destination server.

The Cisco 831 router performs NAT or PAT translation over the VPN tunnel so that the PCs can access the destination network.

So, what I am asking you have to create the NAT configuration manually or does the SDM exvpn remote do it for you. I still dont understand, when it saids "performs NAT or PAT translation over the VPN tunnel", does it use the ip address given by the 3000 or what?

Also, in your NAT configuration, I'm not following you. Is that NAT configuration for the tunnel or regular traffic. According to your NAT statement, if traffic is destined for the headend, then it shouldn't be translated and if its destined for it anything else it should be translated. The only reason i see a reason for your NAT statement is if you are using split tunneling. What you would be saying is that any traffic destined for any ip address on the internet, then go ahead and translate it. If its destined for the headend network, then dont translate packets. But if this is true, then specifically explain to me how the packets traverse the tunnel (do they get translated into the ip address given on the loopback or not).

Using your ip addresses, tell me if this is how it should work.








Outside Interface(

Inside Interface(

Normally (no vpn), you want traffic going out to the internet. so you would do translation from vlan1 to fast4, so that you can translate the 10.10.10.* addresses to the

When the tunnel comes up, lets say the loopback gets a Now, since we're using the vpn, the manual NAT that we set should go away while the tunnel is up, and now all 10.10.10.* taffic should be translated into the address and be transported across the tunnel. Then, the 3000 knows that any traffic destined for should be transported back across the tunnel and to whichever host.

If this is not how it works, can you explain it to me host by host.

Cisco Employee

Re: ezvpn remote client question

To answer your question:

"does it use the ip address given by the 3000 or what?"

It uses IP address assigned by the 3000 to do PAT for all packets. (If split tunneling is not used)

I just did a small test and configured just like you have setup in my lab.

The NAT statement that I gave you was explicitly to state deny traffic destined for the headend but pass all traffic - And yes, you are correct. It is for split tunneling. If you do not want to implement that, its ok.

When you do "deb ip nat" and ping from vlan1 interface to, the translation should occur for the assigned IP address.

NAT : s=>assignedip, d=

NAT* : s=, d=assignedip->

sh cry ipsec sa: output should give us some idea as well. Do you see encrypts and decrypts.

Let me know.



New Member

Re: ezvpn remote client question

It must be my 3000 config. Im looking at the 871 config for the 871 on another post and mine looks almost identical. I will look at that some more and get back with ya. Thanks for you help.

Cisco Employee

Re: ezvpn remote client question

Can you send the output of

"sh cry ipsec client ezvpn"


"sh cry ipsec sa"



New Member

Re: ezvpn remote client question

I dont have access to the router at the moment. I've issued the sh cry client ezvpn before when i was first troubleshooting and it didnt give any helpful info. it gave the peer it was connected to, the tunnel status=active, the inside/outside ezvpn interface. It didnt give anything about split tunnel for instance:

Split Tunnel List: 1

Address :

Mask :

Protocol : 0x0

Source Port: 0

Dest Port : 0

Do i have to issue an "ip route ... " command to direct the traffic where to go? The reason why I ask is because when I do a sho ip route, it doesnt show anything about the headend destination route.

It has to be something simple. If the tunnel is up and i can ping from the loopback, its just something with the packets either not being routed over the tunnel or them not being translated and routed over the tunnel.

You said my config looks fine and I've looked at another person's config in this same forum who is doing the 871 to 3000 conce ezvpn and his looks exactly the same. either its something with routing or on the 3000 concentrator side. However with a cisco software client, everything works just fine and it works fine from the loopback so...

CreatePlease login to create content