I have a remote location with about 10 PCs and users behind it. Currently I'm using a standard IPSEC S2S connection but (don't ask, long story) the site will soon be moving to an ISP that can't give it it's own public IP. It will get a private IP on its outside interface and get NATed behind the ISP's public IP on the way out. Obviously this means I can't use a normal IPSEC tunnel. My thought was to use EZVPN to connect the clients/subnet behind the remote ASA to the subnets behind the HQ ASA. I just need someone to sanity check my work. Here is the EZVPN config I plan on adding to the remote and HQ ASAs. I want all traffic to RFC 1918 IPs to cross the tunnel, while internet traffic at the remote site continues to go out its own connection and not down the tunnel.
192.168.98.0 /24 will be the subnet at the remote site. The HQ site has subnets throughout the 3 RFC 1918 ranges.
HQ ASA CONFIG:
access-list inside_nat0_outbound extended permit ip any 192.168.98.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-list EZVPNSPLIT extended permit ip any 192.168.0.0 255.255.255.0
access-list EZVPNSPLIT extended permit ip any 10.0.0.0 255.0.0.0
access-list EZVPNSPLIT extended permit ip any 172.16.0.0 255.240.255.0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...