Showing results for 
Search instead for 
Did you mean: 

EzVPN send all traffic over tunnel

First time working with EzVPN, while its easy, I am lacking some understanding of it. 


If I have an 881 and I have an EzVPN tunnel to an ASA at another location, how do you force all traffic over the tunnel?? The 881 is getting a dhcp address from a ISP modem, and has a default route to its next hop. So from what I can tell when I run a trace from the 881 to it never hits the peer tunnel address? 


So how does EzVPN work when it comes to traffic crossing the tunnel? IPSEC L2L always uses crypto maps so if the traffic doesnt match the crypto, then its not allowed to pass. I dont see the same concept here like I am use to.


Re: EzVPN send all traffic over tunnel

The ASA itself doesn't run "EzVPN" since it is I would assume it just runs IPSEC vpn and then EzVPN devices terminate as they were "Clients"


I can't seem to get this replicated in the lab, partly because I am runnning 8.4 and not 8.2. I am not sure how much difference there is between the two. How does this work with crypto maps when you dont know what the client IP will be?

I would think you have to do some kind of NAT but all I see on the live device is:


nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1
nat (WAN) 0 access-list WAN_nat0_outbound
nat (WAN) 1
nat (DMZ2) 0 access-list DMZ2_nat0_outbound
nat (DMZ2) 1



Here is my config that I have applied to the ASA:


interface Ethernet0
nameif outside
security-level 0
ip address
interface Ethernet1
nameif inside
security-level 100
ip address
object network LAN_INSIDE
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
ip local pool Pool mask
group-policy SiteToSite internal
group-policy SiteToSite attributes
dns-server value
vpn-simultaneous-logins 500
vpn-tunnel-protocol IPSec
default-domain value centerstone.lan
split-tunnel-all-dns enable
nem enable
tunnel-group SiteToSite type remote-access
tunnel-group SiteToSite general-attributes
address-pool Pool
default-group-policy SiteToSite
authentication-server-group LOCAL
tunnel-group SiteToSite ipsec-attributes
ikev1 pre-shared-key SomePassWord1
crypto dynamic-map dyn1 1 set ikev1 transform-set set1
crypto map OUTSIDE_MAP 1 ipsec-isakmp dynamic dyn1
crypto map OUTSIDE_MAP interface outside
crypto ikev1 enable outside
username SiteToSite password SomePassWord1
username SiteToSite attributes
vpn-group-policy SiteToSite
vpn-simultaneous-logins 200
password-storage enable
object-group network INSIDE_NETWORK
object network LAN_INSIDE
nat (inside,outside) dynamic interface
route outside 1



EzVPN client config is straight from a working unit so I know thats good. But there must be something wrong with my ASA config. 




Re: EzVPN send all traffic over tunnel

Just use the wizard via ASDM to add clients. 

I'm running an ASA with over 100 EasyVPN clients (Client = 88X), and every client get's an own group/profile to differentiate. Via group you can say tunnel all networks within split-tunneling.

Michael Please rate all helpful posts