Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA EzVPN with multiple remote subnets

Hi everyone

I am having the challenge of installing EasyVPN based on ASA 5520 and ASA 5505 (with the ASA5505 as the vpnclient) with multiple networks behind the ASA 5505.

Access from the network attached directly on the 5505 to the central site works just fine.

But the second network-segment (which is behind a router on the directly-attached network) cannot connect to the central site.

I guess i have to specify some kind of acl's to be able to do this.

Btw we do not use split-tunneling, because all traffic is traveling through the tunnel (no local internet access).

The Layout looks like this

(--LAN--)-5520-- -(WAN)- --5505-(--LAN1--)-ROUTER-(--LAN2--)

Connection from LAN1 to LAN does work splendid through the EZVPN Tunnel.

Connection from LAN2 to LAN does not work through the EZVPN Tunnel.

Here is the config used so far (besides the normal NONAT, Object-Groups, crypto and ISAKMP stuff):

Client:

vpnclient server 10.x.x.x

vpnclient mode network extension-mode

vpnclient vpngroup EzVPN password ****

vpnclient username user1 password ****

vpnclient enable

crypto ipsec df-bit clear-df outside

Server:

group-policy EzVPN internal

group-policy EzVPN attributes

nem enable

password-storage enable

tunnel-group EzVPN type ipsec-ra

tunnel-group EzVPN general attributes

default-group-policy EzVPN

tunnel-group EzVPN ipsec-attributes

pre-shared-key ****

user user1 password ***

I hope you can help

Best Regards

Jarle

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA EzVPN with multiple remote subnets

Unfortunately, this is not supported on the ASA platform. With EasyVPN on the ASA, only connected networks can be advertised. To accomplish what you want to do, you will need to configure a static IPSec tunnel and advertise the local networks via interesting traffic ACL. Alternatively, you could use an IOS device which does have "multiple subnet" capabilities with EasyVPN.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html#wp1098057

2 REPLIES

Re: ASA EzVPN with multiple remote subnets

Unfortunately, this is not supported on the ASA platform. With EasyVPN on the ASA, only connected networks can be advertised. To accomplish what you want to do, you will need to configure a static IPSec tunnel and advertise the local networks via interesting traffic ACL. Alternatively, you could use an IOS device which does have "multiple subnet" capabilities with EasyVPN.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html#wp1098057

New Member

Re: ASA EzVPN with multiple remote subnets

Hi everybody.

This is not supported. It is a limitation to the ASA - > Use any EzVPN Router.

Greetings

Jarle

1735
Views
0
Helpful
2
Replies