Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA-to-ASA EZVPN check

I have a remote location with about 10 PCs and users behind it.  Currently I'm using a standard IPSEC S2S connection but (don't ask, long story) the site will soon be moving to an ISP that can't give it it's own public IP.  It will get a private IP on its outside interface and get NATed behind the ISP's public IP on the way out.  Obviously this means I can't use a normal IPSEC tunnel.  My thought was to use EZVPN to connect the clients/subnet behind the remote ASA to the subnets behind the HQ ASA.  I just need someone to sanity check my work.  Here is the EZVPN config I plan on adding to the remote and HQ ASAs.  I want all traffic to RFC 1918 IPs to cross the tunnel, while internet traffic at the remote site continues to go out its own connection and not down the tunnel.

192.168.98.0 /24 will be the subnet at the remote site.  The HQ site has subnets throughout the 3 RFC 1918 ranges. 

--------------------------------------------

HQ ASA CONFIG:

access-list inside_nat0_outbound extended permit ip any 192.168.98.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

access-list EZVPNSPLIT extended permit ip any 192.168.0.0 255.255.255.0

access-list EZVPNSPLIT extended permit ip any 10.0.0.0 255.0.0.0

access-list EZVPNSPLIT extended permit ip any 172.16.0.0 255.240.255.0

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2     

lifetime 86400

group-policy RemoteTG internal

group-policy RemoteTG attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list EZVPNSPLIT

default-domain value <domain>

nem enable

webvpn

username remote password CHANGEME! privilege 0

username remote attributes

vpn-group-policy RemoteTG

tunnel-group RemoteTG type remote-access

tunnel-group RemoteTG general-attributes

default-group-policy RemoteTG

tunnel-group RemoteTG ipsec-attributes

pre-shared-key CHANGEME!

-----------------------

REMOTE ASA CONFIG:

vpnclient server <Public IP of the HQ ASA>

vpnclient mode network-extension-mode

vpnclient vpngroup RemoteTG password CHANGEME!

vpnclient username remote password CHANGEME!

vpnclient enable

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: ASA-to-ASA EZVPN check

All in all it looks fine. Two things:

1) On the ASA, normally a standard ACL is used for Split-Tunneling, but the extended can also work.In your ACL some subnet-masks were wrong:

access-list EZVPNSPLIT standard permit 10.0.0.0 255.0.0.0

access-list EZVPNSPLIT standard permit 172.16.0.0 255.240.0.0

access-list EZVPNSPLIT standard permit 192.168.0.0 255.255.0.0

2) if not already in your config (and depending on your version) you have to enable NAT-Traversal:

crypto isakmp nat-traversal 20

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

1 REPLY
VIP Purple

Re: ASA-to-ASA EZVPN check

All in all it looks fine. Two things:

1) On the ASA, normally a standard ACL is used for Split-Tunneling, but the extended can also work.In your ACL some subnet-masks were wrong:

access-list EZVPNSPLIT standard permit 10.0.0.0 255.0.0.0

access-list EZVPNSPLIT standard permit 172.16.0.0 255.240.0.0

access-list EZVPNSPLIT standard permit 192.168.0.0 255.255.0.0

2) if not already in your config (and depending on your version) you have to enable NAT-Traversal:

crypto isakmp nat-traversal 20

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

138
Views
0
Helpful
1
Replies
CreatePlease to create content