cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
0
Helpful
2
Replies
Enthusiast

EzVPN send all traffic over tunnel

First time working with EzVPN, while its easy, I am lacking some understanding of it. 

 

If I have an 881 and I have an EzVPN tunnel to an ASA at another location, how do you force all traffic over the tunnel?? The 881 is getting a dhcp address from a ISP modem, and has a default route to its next hop. So from what I can tell when I run a trace from the 881 to 4.2.2.2 it never hits the peer tunnel address? 

 

So how does EzVPN work when it comes to traffic crossing the tunnel? IPSEC L2L always uses crypto maps so if the traffic doesnt match the crypto, then its not allowed to pass. I dont see the same concept here like I am use to.

2 REPLIES 2
Enthusiast

Re: EzVPN send all traffic over tunnel

The ASA itself doesn't run "EzVPN" since it is 8.2...so I would assume it just runs IPSEC vpn and then EzVPN devices terminate as they were "Clients"

 

I can't seem to get this replicated in the lab, partly because I am runnning 8.4 and not 8.2. I am not sure how much difference there is between the two. How does this work with crypto maps when you dont know what the client IP will be?

I would think you have to do some kind of NAT but all I see on the live device is:

 

nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
nat (WAN) 0 access-list WAN_nat0_outbound
nat (WAN) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 0 access-list DMZ2_nat0_outbound
nat (DMZ2) 1 192.168.107.0 255.255.255.0

 

 

Here is my config that I have applied to the ASA:

!

interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.100.1.249 255.255.255.0
!
!
!
object network LAN_INSIDE
subnet 10.100.1.0 255.255.255.0
!
!
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
!
ip local pool Pool 10.99.99.1-10.99.99.99 mask 255.255.255.0
!
group-policy SiteToSite internal
group-policy SiteToSite attributes
dns-server value 10.100.6.205 10.110.6.205
vpn-simultaneous-logins 500
vpn-tunnel-protocol IPSec
default-domain value centerstone.lan
split-tunnel-all-dns enable
nem enable
!
!
!
tunnel-group SiteToSite type remote-access
tunnel-group SiteToSite general-attributes
address-pool Pool
default-group-policy SiteToSite
authentication-server-group LOCAL
tunnel-group SiteToSite ipsec-attributes
ikev1 pre-shared-key SomePassWord1
!
crypto dynamic-map dyn1 1 set ikev1 transform-set set1
!
crypto map OUTSIDE_MAP 1 ipsec-isakmp dynamic dyn1
crypto map OUTSIDE_MAP interface outside
!
crypto ikev1 enable outside
!
username SiteToSite password SomePassWord1
username SiteToSite attributes
vpn-group-policy SiteToSite
vpn-simultaneous-logins 200
password-storage enable
!
!
!
object-group network INSIDE_NETWORK
network 10.100.1.0 255.255.255.0
!
object network LAN_INSIDE
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

 

 

EzVPN client config is straight from a working unit so I know thats good. But there must be something wrong with my ASA config. 

 

 

Highlighted
Contributor

Re: EzVPN send all traffic over tunnel

Just use the wizard via ASDM to add clients. 

I'm running an ASA with over 100 EasyVPN clients (Client = 88X), and every client get's an own group/profile to differentiate. Via group you can say tunnel all networks within split-tunneling.

Michael Please rate all helpful posts