Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ezvpn: ip pool necessary?

I currently have setup ezvpn betwene two sites using network extension mode. Is the IP pool necessary on the server end? Being that it is in network extension mode, any traffic coming from the remote site over vpn should be using its own IP address?

This is my current server config:

crypto isakmp client configuration group VPNGROUP

key password



pool vpn-pool

acl 104


Where vpn-pool is assigned a pool of addresses. The remote site has no problem getting to the networks I have allowed it to access through ACLs but when I created a firewall rule based on their source IPs it doesn't seem to affect them. I'm curious if this is the result of the vpnpool assigning them different IPs.


Cisco Employee

Re: ezvpn: ip pool necessary?

Using EZVPN in network extension mode, I'm pretty sure the pool is not needed. It should only be needed when configuring client mode EZVPN. HTH

New Member

Re: ezvpn: ip pool necessary?

Thanks. I'll try that tonight. It's confusing because in every config I have seen on the web, local ip pools are assigned even with network extension mode.

What's happening with us is that I created an aaa rule on my pix firewall (sitting behind the ezvpn server) which exempts traffic from that remote site from authentication to services in my dmz. This was working for a couple of minutes and suddenly when they tried again the rule doesn't work. This leads me to believe either they are not coming across the vpn tunnel and across the internet (where this rule probably wont work since they'd have a public IP and not the remote site's ip address) or some wacky address is assigned to them as they come across the tunnel.

CreatePlease to create content