Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Could you help me about easy vpn .

Dear all,

could you help me about easy vpn.

now from the picture client @ branch site can access server  @ HQ site via local ip from vpn connection. but server @ site can not access to client local ip address.

i attach picture for this could you please advice about configuration.

Many thank for kindly support.


now i re-config until the tunnel connect

BLP-MK#sh crypto sess

Crypto session current status

Interface: Dialer0

Session status: UP-ACTIVE    

Peer: port 500

  IKEv1 SA: local remote Active

  IPSEC FLOW: permit ip

        Active SAs: 2, origin: crypto map

but i can not connect from client @ brand to server @ HQ

Could you please advice my config

Vasilii Mikhailovskii
Rising star


Regarding your original configuration:

On the client side you need to change mode to "network-ext".

Current mode "client" is some sort of NAT into IP-address client received from EzVPN server.

But my concern is your NAT configuration.

You need to review NAT and ensure that inter-site traffic is never NATed.

thank you for kindly support.

first i think i don't have static ip @ client side so i use ezvpn. but when i try to use ipsec with dynamic. because i don't want to use nat.

now i use the new configuration. if i want to use only routing. Can i connect to Local IP address for both side without NAT.

could you advise my configuration.

Hello, Siriphan.

Could you please clarify your requirements?

Is branch's WAN IP-address public (or private)?

Is branch's WAN IP-address static (or dynamic)?

How many sites do you have?

Do you have any other requirement for the design?

Why do you use that strange configuration mixing public and internal IP-addresses:

interface GigabitEthernet0/1

description LAN Link to LAN-Network

ip address secondary

ip address

Why do you apply crypto map (HQ device) on G0/0, but default route goes via G0/0.

Do you configure real devices (or it's your lab)?

Vasilii Mikhailovskii
Rising star

Regarding your new config: does you client has static IP-address?

Or it's changing every time you reconnect?

If it's static and public (not from RFC1918) then it's better to configure VTI.

How many branches do you have?

Why do you use Easy VPN?