Thanks for your reply.

I can see how NEM functions and just needed positive confirmation that, in fact, it seems to be similar to site-to-site VPNs with continuous use of the original physical IP addresses of devices behind the 3002.

However, NEM is not the preferred method we're looking for (remote sites don't want to have their entire networks exposed but still need to grant us bi-directional access to a specific server), so I am back at the basics of my question: In PAT mode, how does a client workstation or server on the private network behind the 3002 "initiate" a connection and receive a virtual IP address for the tunnel connection from the 5510? That's the part that's confusing me. Also, only NEM requires the assignment of a physical IP address for the private interface of the 3002. Am I to assume that PAT mode allows only a single device directly connected to the 3002 (like through a second physical NIC) to communicate with the network behind the 5510?

Any ideas?

- Matthias.

Hi Matthias,

Internally Routable Subnets are not poosible with EzVPN. Only the directly connected subnet to 3002 would be able to acesss the remote n/w throug the tunnel. this applis to both NEM and PAT mode.

With PAT mode, the ASA will assign an ip address from the pool to the 3002, and all the hosts on 3002 directly connected subnet will now access the tunnel using that single ip address.

In other words, they will be "patted" against that ip address.

Since, they have a patted ip address now, only 3002 can initiate a connection to the ASA internal n/w. Once the connection is established, the traffic will flow bidirectionally.

Hope this answers your questions.

*Please rate if helped.

-Kanishka

Thanks again for your post. Okay, so let me digest the news for me here a bit more:

There are no internally routable subnets behind the 3002 allowed, which basically requires me to physically put the private interface of the 3002 onto the subnet with the system(s) that need access to the VPN tunnel. Correct?

Furthermore, one of my remote sites has two servers behind the 3002 that I must be able to specifcially address from the main site's network, so PAT won't work at all since that would represent all systems behind the 3002 with the same (3002 private) IP address to the central site, correct?

Hence, if using NEM, I must place the 3002's private interface onto the desired remote site subnet and configure the physical IP address accordingly. I suppose the final remaining question is this: How do the systems behind the 3002 "initiate" a tunnel connection (i.e., know where to find the 5510, get a tunnel IP address from the 5510, update their routing table for tunneled traffic)? This is stuff previously done by the VPN software client installed on the systems but now this software client doesn't exist anymore.

- Matthias.

One more thing: All remote sites require split-tunneling (access to their local LANs and their own Internet providers while passing traffic to the central site network through the VPN tunnel). Just mentioning this for routing issues, as I do not have control over these systems and cannot require them to change their default routing to, let's say, the private interface of the 3002.

Also, split tunneling works with NEM. All you have to do is Enable it on the ASA.

-Kanishka

Hi again -

So, now that the concept is clear to me (or at least that's what I thought) I am still not able to pass traffic. Could it be that it is more of a routing or ACL problem somewhere? Both the 5510 and the 3002 are pretty much "virgins" and have no additional security or routing (other than basic default routing) configured. Here's the setup:

test-server

10.12.2.1/16, dg 10.12.1.254

static route 1.5.0.1/32 to 10.12.1.1

--->

ASA5510 private

10.12.1.1/16

(VPN traffic allowed to bypass ACLs)

static route 10.0.0.0/8 to 10.12.1.254

ASA5510 public

68.121.156.8/25

default route to 68.121.156.1

--->

[Internet]

In this test setup the public interface of the 5510 and the 3002 are on the same Internet subnet.

--->

3002 public

68.121.156.9/25, dg 68.121.156.1

3002 private

1.1.1.1/8

--->

test-client

10.5.0.1/8, dg 10.1.1.254

static route 10.12.2.1/32 to 1.1.1.1

Both the 5510 and the 3002 are configured for NEM. The tunnel is established. When the client tries to ping the server, nothing happens at all. When the server tries to ping the client, I can see the following three entries in the ASA log for each ping:

SourceIP 10.12.2.1 DestinationIP 1.5.0.1

IDS:2004 ICMP echo request from 10.12.2.1 to 1.5.0.1 on interface private-e02

SourceIP 1.5.0.1 DestinationIP 10.12.2.1

Built ICMP connection for faddr 1.5.0.1/0 gaddr 68.121.156.8/1 laddr 10.12.2.1/512

SourceIP 1.5.0.1 DestinationIP 10.12.2.1

Teardown ICMP connection for faddr 1.5.0.1/0 gaddr 68.121.156.8/1 laddr 10.12.2.1/512

Any ideas? Thanks again for your help so far.

- Matthias.

typo: test-client is of course 1.5.0.1 instead of 10.5.0.1

Can you connect the test client(1.0.5.1) directly or through some L2 switch to 3002 private intf and put the default gateway as 1.1.1.1

Also, do you have NAT bypass rules defined on the ASA. You would need them.

Thanks,

-Kanishka

Actually, the test-client is directly connected to the private interface of the 3002; its configuration is just a replication of the later "real world" so we test with the actual scenario. I can certainly remove the static route and configure the 3002 as its default gateway.

I do not have NAT exempt rules configured at this time. Currently, there's just one dynamic NAT rule defined to allow the test-server and other machines behind the 5510 to access the internet if necessary. How would I configure the NAT exempt rule in this case? Can NAT be exempted for specific destinations only?

- Matthias.

Hi,

Yes, you should put the test client , directly connected or through a L2 device.

And, we also have to configure NAT exempt rule. Yes, you can configure specific hosts for NAT exemption.

Let's say the 3002 private subnet is 1.0.0.0/8 and the ASA inside subnet is 10.12.0.0/16. You only want NAT exempt for hosts 1.1.1.3 going to 10.12.0.2. The NAT exempt rule will look something like this :

access-list nonat permit ip host 10.12.0.2 host 1.1.1.3

nat (inside) 0 access-list nonat

The ASA configuration would be similar to :

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

Hope this helps.

-Kanishka