cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
965
Views
0
Helpful
2
Replies

Client behind EzVPN Remote (ASA 5505)

Hi there

I try to configure a simple EzVPN infrastructure:

EzVPN Server (CISCO2811, hostname cme) < -- > EzVPN Remote (ASA5505, hostname ezvpn-asa) < -- > Client

Attached you find both configuration of the EzVPN server and remote. The tunnel is getting up and if I ping from the ASA to the Router, I see the packets getting encrypted:

ezvpn-asa# ping 172.16.100.1

...

ezvpn-asa# show crypto ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2

      access-list _vpnc_acl permit ip host 172.16.100.2 host 172.16.100.1

      local ident (addr/mask/prot/port): (172.16.100.2/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (172.16.100.1/255.255.255.255/0/0)

      current_peer: 172.16.100.1, username: 172.16.100.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

If I connect a client with IP address 192.168.1.2 to the interface eth0/1 and do a ping to the cme, I don't see any packets getting encrypted. I don't have any idea about VPN, I just need it for a wireless lab environment. What do I have to configure on the ASA, so the inside traffic is encrypted?

Thanks in advance and best regards

Dominic

1 Accepted Solution

Accepted Solutions

mvsheik123
Level 7
Level 7

Hi,

Looks like you are missing split-tunnel list in 2811. Please check the below link with sample config.

http://www.techsupportforum.com/forums/f137/how-to-configure-easy-vpn-server-on-cisco-2811-router-192775.html

hth

MS

View solution in original post

2 Replies 2

mvsheik123
Level 7
Level 7

Hi,

Looks like you are missing split-tunnel list in 2811. Please check the below link with sample config.

http://www.techsupportforum.com/forums/f137/how-to-configure-easy-vpn-server-on-cisco-2811-router-192775.html

hth

MS

Hi mvsheik123

Thanks for your answer, but I found the "problem", I did not check the right counters, it worked from the beginning, but I only verified the 172.16.100.0/32 subnet, here is the output for the 192.168.1.0/24 subnet:

ezvpn-asa# show crypto ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 any

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      current_peer: 172.16.100.1, username: 172.16.100.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 44, #pkts encrypt: 44, #pkts digest: 44

      #pkts decaps: 38, #pkts decrypt: 38, #pkts verify: 38

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 44, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

Best regards

Dominic

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: