Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setting up Easy VPN / Basic Qs

I'm a little confused with the differences in setting up easy vpn client or network extension mode. According to docs:

•Client—Specifies that NAT or PAT be done so that the PCs and other hosts at the remote end of the VPN tunnel form a private network that does not use any IP addresses in the IP address space of the destination server.

So does that mean I don't have to specify an ip local pool on the easy vpn server if using client-mode? In the various sample configs used for this, they all specified an IP pool for incoming connections to grab addresses from or is this pool used for something else?

Actually, my bigger quoestion would be, since the client end has a static IP assigned to both its private and public interfaces, would that render client-mode pointless and we should use netowkr extension instead? Basically at their end they can not use DHCP due to company policy. Does Network extension require dhcp configured onto its device?

New Member

Re: Setting up Easy VPN / Basic Qs


What it means is that you will see all your clients using the same ip address (this mode is called the client mode or NAT mode) and not their individual ip addresses. For instance, I have configure easy vpn to handle IP Phones behind the pix, I also configure dhcp on the client pix so my phones are getting ip on the range of 10.18.16x.x but on my call manager all these phones show as only one ip on the range of 192.168.x.x.

The only difference between client mode and network extension mode is that on client mode they tunnel is up when necessary. In other words, if there is not traficc the tunnel will be down. On network extension mode, the tunnel is up whether or not there is traffic passing through the tunnel.

Let me know if helps.

New Member

Re: Setting up Easy VPN / Basic Qs

Would another difference be that network extension does not use NAT since both ends can see each other's IP? I guess there shouldn't be security problems since these are two trusted LANs that are looking at each other?

I'll prob be doing network extension for this remote site. Since they all have static IPs assigned at their end, do I need to define that IP range so that my easy vpn server will accept them? Something like permit rule here:

crypto isakmp client configuration group VPNGROUP

??? permit [remote ip address range]???


dns x.x.x.x x.x.x.x

wins x.x.x.x x.x.x.x



Thanks for your help in advance.

CreatePlease login to create content