Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Client behind EzVPN Remote (ASA 5505)

Hi there

I try to configure a simple EzVPN infrastructure:

EzVPN Server (CISCO2811, hostname cme) < -- > EzVPN Remote (ASA5505, hostname ezvpn-asa) < -- > Client

Attached you find both configuration of the EzVPN server and remote. The tunnel is getting up and if I ping from the ASA to the Router, I see the packets getting encrypted:

ezvpn-asa# ping 172.16.100.1

...

ezvpn-asa# show crypto ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2

      access-list _vpnc_acl permit ip host 172.16.100.2 host 172.16.100.1

      local ident (addr/mask/prot/port): (172.16.100.2/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (172.16.100.1/255.255.255.255/0/0)

      current_peer: 172.16.100.1, username: 172.16.100.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

If I connect a client with IP address 192.168.1.2 to the interface eth0/1 and do a ping to the cme, I don't see any packets getting encrypted. I don't have any idea about VPN, I just need it for a wireless lab environment. What do I have to configure on the ASA, so the inside traffic is encrypted?

Thanks in advance and best regards

Dominic

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Client behind EzVPN Remote (ASA 5505)

Hi,

Looks like you are missing split-tunnel list in 2811. Please check the below link with sample config.

http://www.techsupportforum.com/forums/f137/how-to-configure-easy-vpn-server-on-cisco-2811-router-192775.html

hth

MS

2 REPLIES

Client behind EzVPN Remote (ASA 5505)

Hi,

Looks like you are missing split-tunnel list in 2811. Please check the below link with sample config.

http://www.techsupportforum.com/forums/f137/how-to-configure-easy-vpn-server-on-cisco-2811-router-192775.html

hth

MS

New Member

Re: Client behind EzVPN Remote (ASA 5505)

Hi mvsheik123

Thanks for your answer, but I found the "problem", I did not check the right counters, it worked from the beginning, but I only verified the 172.16.100.0/32 subnet, here is the output for the 192.168.1.0/24 subnet:

ezvpn-asa# show crypto ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 any

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      current_peer: 172.16.100.1, username: 172.16.100.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 44, #pkts encrypt: 44, #pkts digest: 44

      #pkts decaps: 38, #pkts decrypt: 38, #pkts verify: 38

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 44, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

Best regards

Dominic

821
Views
0
Helpful
2
Replies
This widget could not be displayed.