We have successfully deployed a couple of ASA5505/EasyVPN to sites where we don't have any leased lines/known endpoints.
Recently we bought an ASA5506-X to test it and did hit some of the design changes and the initial lack of EasyVPN.
Two days ago the long awaited 9.5.2 release became available and all caveats seems to be fixed.
Meanwhile, the need for an EasyVPN-deployment whith multiple inside interfaces arrived and I began to try this whith the unutilized 5506-X.
The remote ASA has one outside interface and four inside interfaces where only one of them is supposed to utilize the tunnel, the three other interfaces is supposed to go straight out, NATed to the address of the outside interface.
The security-level of "our" interface is 100, the three other is 90 and from what I can understand from this link it is supported: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/ezvpn505.html#wp1025408
The problem: at the home site we are using public addressed and the remote equipment is supposed to feed some systems while clients at the three other interfaces is supposed to consume data from the same systems just as any public client.
The equipment at "our" interface is using the tunnel, all fine.
The clients at the three other inside interfaces can reach things outside the ASA5506.
The clients at the three other interfaces can NOT reach any address specified in the tunnel list despite the fact the clients source addresses are outside the range specified. Example:
access-list ezv-cryptomap extended permit ip 188.8.131.52 255.255.255.254 10.2.96.0 255.255.255.0
10.2.96 is located at the network supposed to use the tunnel to reach 184.108.40.206 or 220.127.116.11 and it works.
A client using 10.49.97.2 (example from one of the three other interfaces) will get routed through the tunnel and the packets is dropped.
Why isn't the packet NATed and sent right out from the outside interface?
I have asked the question here, packet traces can be found there as well. https://communities.cisco.com/message/199149#199149
Example addresses are a bit different but it comes from the same configuration, sorry for that.
Any guidance is highly appreciated.
I hope the text is understandable, I rarely practice the english language.
... View more
I downloaded and installed 9.5.2 and indeed the split tunneling seems to work but there is one weird problem (I think): I'm using four "inside" interfaces on the 5506-X and as far as I can read this is kind of supported, the interface with the highest security-level can utilize the tunnel, the others can not. This scenario is fine. Devices connected to vlan67 works fine tested so far. A device connected to vlan68 works as long as it doesn't connect to any address in the tunnel list. This is bad since there are some services at the home end with public addresses where clients at vlan67 act as "data feeders" for the public computers while clients at vlan68 acts as "data consumers" for the public computers. From what I could understand the clients at vlan67 should (and does) use the tunnel for access while clients at vlan68 would go straight out from the 5506-X, get their source address changed to the 5506-X's outside address and reach the public addresses as normal clients. The 5506-X says the expected "Built dynamic translation" while connecting to google.com while it says "Built localhost outside:W.X.Y.Z" while trying to connect to the public address from vlan68 The ip range B is in a completely different range from ip range A. Is this supposed behaviour or is it a bug? interface GigabitEthernet1/2.67 vlan 67 nameif sixtyseven security-level 100 <-- easy vpn tunnel works as expected from here, W.X.Y.Z reached by tunnel ip address A ! interface GigabitEthernet1/2.68 vlan 68 nameif sixtyeight security-level 90 <-- clients here reaches addresses NOT in the tunnel list, W.X.Y.Z not reached at all ip address B ! interface GigabitEthernet1/2.69 vlan 69 nameif sixtynine security-level 90 ip address C ! interface GigabitEthernet1/2.70 vlan 70 nameif sixtyten security-level 90 ip address D
... View more
We're also hitting this bug, annoying as we bought the X-series when we finally saw the statement "Easy VPN added". A real show stopper for us :-( Can someone please explain this, are these some kind of interim versions? Can they be downloaded? " Known Fixed Releases: (8) 100.14(0.76) 100.15(0.34) 100.15(16.8) 100.15(17.12) 100.15(3.60) 100.15(8.15) 100.16(0.2) 100.16(1.2)"
... View more