cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3473
Views
0
Helpful
4
Replies

ASA 5505 - NEM Client

randydaugherty
Level 1
Level 1

How can I configure an ASA 5505 NEM client to allow access to the Internet when the tunnel to the headend is down?  I am planning on deploying back to back ASA 5505s in network extension mode but I do not want to block Internet access on the client side if the tunnel to the server should go down.

4 Replies 4

Jeffrey Schutt
Cisco Employee
Cisco Employee

Hi Randy,

There are two things going on here, network extention mode versus client-mode and split-tunneling versus tunneling all traffic.  It sounds like you're committed to NEM (probably because you want to route the remote subnet on the ezvpn server side).  Now it's a question of split-tunneling versus tunneling all traffic.  Here's a great example of how to setup the ASA as a NEM client where the ezvpn server pushes down a split-tunnel policy:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

This may be the way you want to go because if you use this setup then your users will always have internet access independent of the tunnel being up or down.

The other option is to tunnel all traffic from the ezvpn client side through the tunnel before u-turning internet bound traffic.  In this case the ipsec sa that's built on the ezvpn client side has an all zeroes proxy/identity.  This means that any packet that goes from inside to outside interface will trigger the IPsec connection.  This will then bring up the tunnel if it's down so users internet access is restored.  The other option you have is to configure PAT on the ezvpn client.  In this scenario you should explicitely deny the ezvpn server's networks from NAT/PAT (using nat exemption/identity nat) so that this traffic never gets NATed.  PAT will allow inside users to browse the web even if the tunnel is down.

Hi Jeffery,

First, thanks for responding to my post.  I began to think I was so far off base that no one was willing to even attempt to straighten me out!

I went ahead and implemented a site-to-site vpn just so I could get my two offices communicating.  Not real crazy about this since the two sub-nets cannot see each other.  Works fine if you know the ip address of the host you are attempting to connect with.  We are a small company so we do not use domains, just work groups.  And, we have just about every edition of Windows since 2000.  So, the reason I am looking at the EZvpn, the way I understand it, is to give better visibility between the two subnets, 192.168.0.0/24 and 192.168.1.0/24.  (i.e. click on “My Network Places” from the control pane and see all of the hosts on both subnets).

So back to the NEM setup, if I understand this correctly, the split-tunnel will work just fine as long as the tunnel comes up the first time.  In other words, if I set up the remote office prior to setting up the server, internet access is not possible since the remote does not have the configuration to implement split-tunnel.  The reason this is an issue is when there is a power failure.  The remote office will once again need to establish the tunnel to receive the splint-tunnel instructions prior to allowing internet access since the split-tunnel is only in active memory, not part of the saved configuration. And, if the server is off the air due to power failure the remote office cannot access the internet.  Please correct me if I am missing something here!

So here is one more question, what is the difference between a site-to-site network and the NEM-Client Mode? 

Thanks for all of your help!

Randy

Hi Randy,

Thanks for the clarification.  Based on this new information it sounds like all you need to do is configure RRI (reverse route injection) and redistribute these static routes into the dynamic routing protocol (if you're running a routing protocol).  Configure reverse route injection with the set command within the static crypto map entry you've configured.  This way these learned routed will always be advertised into the local ASA's routing table.  This should resolve your problem.

The major difference between l2l and ezvpn is that you define the local policy on both sides in the l2l configuration (encryption/hashing protocols, crypto map configuration including interesting traffic, etc) whereas the ezvpn server pushes the policy down to the ezvpn client.

Regarding split tunneling...within an EZVPN setup the split tunnel policy is pushed down from the server.  What this means is that the ezvpn client will only encrypt traffic that matches the split-tunnel list defined on the ezvpn server and installed in the ezvpn client (as verified by 'sh cry ips sa').  This means that all other traffic not defined by the split tunnel acl will always be able to reach the internet directly independent of whether the ipsec tunnel is established.

Regards,

Jeff

Hi Jeff,

You really cleared it up for me as to the underlying issues when deciding between a l2l implementation as opposed to EZvpn.  I am certain at this point the l2l is what I needed, especially since I am only dealing with two offices.

I must apologize though because I think I led you astray.  The real issue is not the subnets and visibility, but it is network discovery that I am having trouble with.  I did not do a very good job of describing my problem but wow, have a I learned a lot from digging into this.  And, now that I have dug deeper I am beginning to think what I am looking for is not doable. 

We do not utilize WINS or DNS in our network since there is only about 10 hosts per site and only two sites.  However, will still use host name to direct printers, file servers, etc.  Name resolution works fine at each site (I believe this is a result of the LLMNR protocol).  Since this is a multicast protocol and the ASA devices will not forward this (224.0.0.252:5535) over the VPN we are not able to see the names of the hosts between the two sites.

I appreciate the help you have sent over.  I had to read up on RRI to make sure I understood what it could do and to determine that would not help out name resolution.  Once again, sorry for not describing the issue in better detail.

Thanks,

Randy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: