cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
0
Helpful
2
Replies

Traffic not routing between remotes using ezVPN with NEM

Matthew Spire
Level 1
Level 1

I've been scouring the forums for a while now looking for ways to fix this one but just can't find anything that helps.  I have ezVPN configured on an ASA 5520 for my server with 5505s as my clients at several remote sites.  The tunnels come up no problem and I can hit everything I need to on both sides of the tunnel, but I'm not able to get to another remote network from a remote network.  The traffic goes out the tunnel on the 5505 but on the 5520 all I see is a bunch of scrolling tear down messages.  Any thoughts would be greatly appreciated.

Hub side

interface GigabitEthernet0/0

nameif Inside_Network

security-level 100

ip address 10.0.0.1 255.255.255.252

!

interface GigabitEthernet0/3

nameif Outside_Network

security-level 0

ip address 192.168.32.8 255.255.255.0

!

same-security-traffic permit inter-interface

!

router eigrp 10

network 10.0.0.0 255.255.255.0

redistribute static

!

crypto ipsec ikev1 transform-set my-set esp-aes-256 esp-sha-hmac

crypto dynamic-map ezvpn 30 set ikev1 transform-set my-set

crypto dynamic-map ezvpn 30 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic ezvpn

crypto map outside_map interface Outside_Network

crypto ikev1 enable Outside_Network

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

!

group-policy VPN_GP internal

group-policy VPN_GP attributes

vpn-idle-timeout none

nem enable

!

username vpnuser password Wj0QXCAEhK12A5Sp encrypted privilege 0

!

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

default-group-policy JEOD_VPN_GP

tunnel-group VPN ipsec-attributes

ikev1 pre-shared-key *****

Remote Side - Not much needed here

vpnclient server 192.168.32.8

vpnclient mode network-extension-mode

vpnclient vpngroup VPN password *****

vpnclient username vpnuser password *****

vpnclient enable

1 Accepted Solution

Accepted Solutions

rohaverm
Level 1
Level 1

Remote EzVPN clients are able to connect to the Headend ASA5520 but cannot communicate among themselves. Is it correct understanding?

Are all the EzVPN clients terminated on different outside physical interface of the ASA? If not then we will have to permit traffic intra-interface too along with inter-inerface i.e. same-security-traffic permit intra-inerface.

View solution in original post

2 Replies 2

rohaverm
Level 1
Level 1

Remote EzVPN clients are able to connect to the Headend ASA5520 but cannot communicate among themselves. Is it correct understanding?

Are all the EzVPN clients terminated on different outside physical interface of the ASA? If not then we will have to permit traffic intra-interface too along with inter-inerface i.e. same-security-traffic permit intra-inerface.

You understood correctly.  They are all being terminated on the same outside interface and the intra-interface worked like a charm.  Thanks.  I knew it would be something simple in the end.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: