First time working with EzVPN, while its easy, I am lacking some understanding of it.
If I have an 881 and I have an EzVPN tunnel to an ASA at another location, how do you force all traffic over the tunnel?? The 881 is getting a dhcp address from a ISP modem, and has a default route to its next hop. So from what I can tell when I run a trace from the 881 to 126.96.36.199 it never hits the peer tunnel address?
So how does EzVPN work when it comes to traffic crossing the tunnel? IPSEC L2L always uses crypto maps so if the traffic doesnt match the crypto, then its not allowed to pass. I dont see the same concept here like I am use to.
The ASA itself doesn't run "EzVPN" since it is 8.2...so I would assume it just runs IPSEC vpn and then EzVPN devices terminate as they were "Clients"
I can't seem to get this replicated in the lab, partly because I am runnning 8.4 and not 8.2. I am not sure how much difference there is between the two. How does this work with crypto maps when you dont know what the client IP will be?
I would think you have to do some kind of NAT but all I see on the live device is:
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
nat (WAN) 0 access-list WAN_nat0_outbound
nat (WAN) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 0 access-list DMZ2_nat0_outbound
nat (DMZ2) 1 192.168.107.0 255.255.255.0
Here is my config that I have applied to the ASA:
ip address 188.8.131.52 255.255.255.192
ip address 10.100.1.249 255.255.255.0
object network LAN_INSIDE
subnet 10.100.1.0 255.255.255.0
crypto ikev1 policy 65535
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
ip local pool Pool 10.99.99.1-10.99.99.99 mask 255.255.255.0
group-policy SiteToSite internal
group-policy SiteToSite attributes
dns-server value 10.100.6.205 10.110.6.205
default-domain value centerstone.lan
tunnel-group SiteToSite type remote-access
tunnel-group SiteToSite general-attributes
tunnel-group SiteToSite ipsec-attributes
ikev1 pre-shared-key SomePassWord1
crypto dynamic-map dyn1 1 set ikev1 transform-set set1
crypto map OUTSIDE_MAP 1 ipsec-isakmp dynamic dyn1
crypto map OUTSIDE_MAP interface outside
crypto ikev1 enable outside
username SiteToSite password SomePassWord1
username SiteToSite attributes
object-group network INSIDE_NETWORK
network 10.100.1.0 255.255.255.0
object network LAN_INSIDE
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 184.108.40.206 1
EzVPN client config is straight from a working unit so I know thats good. But there must be something wrong with my ASA config.
Just use the wizard via ASDM to add clients.
I'm running an ASA with over 100 EasyVPN clients (Client = 88X), and every client get's an own group/profile to differentiate. Via group you can say tunnel all networks within split-tunneling.