cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4789
Views
3
Helpful
6
Replies

Easy VPN along with IPSec L2L(Site-to-Site) VPN in the same ASA 5505

Anup Sasikumar
Level 1
Level 1

Hi Experts,

We have an ASA 5505 in our environment and currently two IPSec L2L VPN tunnels are established. But we are planning to connect using Easy VPN(Network Extension Mode) to another site as Client. Is it possible to configure Easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible are there any work around?

Following is the warning that we get when tried to configure Easy VPN Client.

NOCMEFW1(config)# vpnclient enable

* Remove "nat (inside) 0 S2S-VPN"

* Detach crypto map attached to interface outside

* Remove user-defined tunnel-groups

* Remove manually configured ISA policies

CONFIG CONFLICT: Configuration that would prevent successful Cisco Easy VPN Remo

te

operation has been detected, and is listed above. Please resolve the

above configuration conflict(s) and re-enable.

Thanks and Regards

Anup Sasikumar

Regards,
Anup
1 Accepted Solution

Accepted Solutions

"Dynamic crypto map needs to be setup on the Server device ?"

Yes, dynamic crypto is setup on the EasyVPN Server side.

thanks

View solution in original post

6 Replies 6

rizwanr74
Level 7
Level 7

Hi Anup,

the site which hosting the EasyVPN Server is also under your administratation as well?

If I were you, I setup daynamic L2L tunnel on the Server ASA (assuming your remote end is an ASA hosting EasyVPN Server), which will work like an EasyVPN server and your remote hardware vpn-client still can be configured like static-tunnel to Dyamic L2L tunnel.

My understanding is, you cannot static-tunnels configured while being a EasyVPN client for EasyVPN server.

Hope that make sense.

thanks

Rizwan Rafeek

Hi Rizwan ,

Thanks for your helpful response.

The Easy VPN Server end is not under our administration and we think it is a Router most probably.

The device at our end is an ASA 5505 which currently has 2 Site to Site VPN tunnels with a static crypto map on the outside interface. And we get the error mentioned above when trying to configure ASA 5505 as the Easy VPN Client.

Dynamic crypto map needs to be setup on the Server device ?

Regards,

Anup

Regards,
Anup

"Dynamic crypto map needs to be setup on the Server device ?"

Yes, dynamic crypto is setup on the EasyVPN Server side.

thanks

Hi Rizwan,

Thanks for the reply !

Due to practical difficulties , asking for a Dynamic Crypto map to be setup at Easy VPN Server end was not possible.

So we had a second ASA 5505 which we erased to factory defaults and configured it to be setup as Easy VPN client just for that remote site.

Thank you

Regards,

Anup 

Regards,
Anup

Hi Anup,

I have had the priviledge of configuring both Site-to-Site and EzVPN on the same ASA 5505 and it works perfectly even as we speak, but what i can't verify is using a hardware client for it. But i guess it should work, going by what is meant to be.

But i have a question to ask you, have you found out what kind of Router they have there? if it could do S2S vpn? if it is why not go ahead and slam another S2S on it, rather than having to do EzVPN.

That's just my two cent about the whole setup.

Hi Teddy,

Thats great. So it 's Site to Site VPN and an Easy VPN Client on the same ASA5505 ?

We don 't have an idea of the router at their end and Site to Site VPN is defintely an option which I am also more comfortable with . But they have the upper hand ! (Sigh ! )

Regards ,

Anup

Regards,
Anup
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: