could you help me about easy vpn.
now from the picture client @ branch site can access server @ HQ site via local ip from vpn connection. but server @ site can not access to client local ip address.
i attach picture for this could you please advice about configuration.
Many thank for kindly support.
now i re-config until the tunnel connect
BLP-MK#sh crypto sess
Crypto session current status
Session status: UP-ACTIVE
Peer: 220.127.116.11 port 500
IKEv1 SA: local 18.104.22.168/500 remote 22.214.171.124/500 Active
IPSEC FLOW: permit ip 10.33.103.0/255.255.255.0 10.0.254.0/255.255.255.0
Active SAs: 2, origin: crypto map
but i can not connect from client @ brand to server @ HQ
Could you please advice my config
Regarding your original configuration:
On the client side you need to change mode to "network-ext".
Current mode "client" is some sort of NAT into IP-address client received from EzVPN server.
But my concern is your NAT configuration.
You need to review NAT and ensure that inter-site traffic is never NATed.
thank you for kindly support.
first i think i don't have static ip @ client side so i use ezvpn. but when i try to use ipsec with dynamic. because i don't want to use nat.
now i use the new configuration. if i want to use only routing. Can i connect to Local IP address for both side without NAT.
could you advise my configuration.
Could you please clarify your requirements?
Is branch's WAN IP-address public (or private)?
Is branch's WAN IP-address static (or dynamic)?
How many sites do you have?
Do you have any other requirement for the design?
Why do you use that strange configuration mixing public and internal IP-addresses:
description LAN Link to LAN-Network
ip address 10.0.254.254 255.255.255.0 secondary
ip address 126.96.36.199 255.255.255.252
Why do you apply crypto map (HQ device) on G0/0, but default route goes via G0/0.
Do you configure real devices (or it's your lab)?
Regarding your new config: does you client has static IP-address?
Or it's changing every time you reconnect?
If it's static and public (not from RFC1918) then it's better to configure VTI.
How many branches do you have?
Why do you use Easy VPN?