Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Help with ASA EzVPN configuration

I have a remote 1921 router that I am trying to connect to a Cisco ASA 5540 (running 8.2 code), but I am having problems.

According to this document, a split-tunnel policy is defined

access-list EZVPN_SPLIT_TUNNEL standard permit

split-tunnel-network-list value EZVPN_SPLIT_TUNNEL

In my network, the remote subnet behind the 1921 is /27
This will connect to two hosts behind the ASA ( & 183)

How do I specify this split tunnel in that scenario?

My other problem is that I already have a dynamic crypto map specified on the ASA with the parameters

crypto map outside_map 65535 (for a different VPN)

My new map for the EzVPN reads

crypto dynamic-map outside_new_map 20 set pfs group1

crypto dynamic-map outside_new_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_new_map 20 match address ezvpn

crypto map outside_map 65534 ipsec-isakmp dynamic outside_new_map

But it looks like the EzVPN client is trying to use 65535 by default and main mode is failing.
Is there some way around this? Some way to specify the sequence number?

Any advice would be great!

New Member

Help with ASA EzVPN configuration

OK, one update on this

Looks like I have the sequence number issue corrected. The tunnel does come up, and the remote host at and ping the internal host at

however, the host cannot ping back to the remote client. I have a NAT exemption in on the firewall

access-list inside_nat0_outbound extended permit ip host

and the ACL that specifies the interesting traffic

access-list ezvpn extended permit ip

But when the host tries to ping the remote VPN client, I get an "expired in transit" message

something I forgot to do here? Not sure why it is doing this

CreatePlease to create content