05-11-2012 10:52 PM
Hello!
We have faced some problem, when using crypto ipsec client ezvpn name inside on multiple interfaces/sub-interfaces.
We have two different routers as our VPN clients
The server is configured on ASA 5520, Version 8.4(2)
Sometimes we cannot access the client internal networks from server side.
At the same time on the client:
What ca cause such kind of problem?
Server config:
access-list VPN-ACL extended permit ip 10.3.3.0 255.255.255.192 host 10.0.0.2
access-list VPN-ACL extended permit ip 10.3.3.128 255.255.255.128 host 10.0.0.2
!
ip local pool VPN-POOL 10.0.0.2
!
group-policy vpn-EAZY internal
group-policy vpn-EAZY attributes
wins-server value 10.2.2.21 10.2.2.31
dns-server value 10.2.2.21 10.2.2.31
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ACL
default-domain value domain.local
split-dns none
address-pools value VPN-POOL
!
tunnel-group vpn-EAZY type remote-access
tunnel-group vpn-EAZY general-attributes
address-pool VPN-POOL
default-group-policy vpn-EAZY
tunnel-group vpn-EAZY ipsec-attributes
ikev1 pre-shared-key ***
!
client2 config:
crypto ipsec client ezvpn vpn-client1
connect auto
group <group_name> key <***>
mode network-plus
peer <peer_ip>
username <user> password <***>
xauth userid mode local
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip nat inside
crypto ipsec client ezvpn vpn-client1 inside
...
!
interface GigabitEthernet0/1.200
encapsulation dot1Q 200
ip nat inside
crypto ipsec client ezvpn vpn-client1 inside
...
!
interface FastEthernet0/0/1
description WAN
ip nat outside
crypto ipsec client ezvpn vpn-client1
...
05-11-2012 11:17 PM
Here http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-a1-cr-book.pdf is mentioned, that you can add up to three inside interfaces
on client1 we use 2 inside intefaces, on client2 we use 4 inside interfaces - but the problems remains the same same for both of them
05-14-2012 01:16 AM
Does anybody has any ideas?
the question is urgent!
05-14-2012 06:20 AM
Just try adding
crypto isakmp nat-traversal 10 on the ASA
then initiate the tunnel from the client side.
05-14-2012 11:58 PM
will it resolve the problem with initiating the connection from server side?
besides, the server and the client are not located behind the NAT, why do we need nat-traversal feature?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide