Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
2
Replies

Setting up Easy VPN / Basic Qs

jackleung
Level 1
Level 1

‎04-07-2006 04:51 AM - edited ‎02-21-2020 02:21 PM

I'm a little confused with the differences in setting up easy vpn client or network extension mode. According to docs:

•Client—Specifies that NAT or PAT be done so that the PCs and other hosts at the remote end of the VPN tunnel form a private network that does not use any IP addresses in the IP address space of the destination server.

So does that mean I don't have to specify an ip local pool on the easy vpn server if using client-mode? In the various sample configs used for this, they all specified an IP pool for incoming connections to grab addresses from or is this pool used for something else?

Actually, my bigger quoestion would be, since the client end has a static IP assigned to both its private and public interfaces, would that render client-mode pointless and we should use netowkr extension instead? Basically at their end they can not use DHCP due to company policy. Does Network extension require dhcp configured onto its device?

Labels:
0 Helpful
2 Replies 2

rafaelgarcia
Level 1
Level 1

‎04-07-2006 07:49 AM

Hi,

What it means is that you will see all your clients using the same ip address (this mode is called the client mode or NAT mode) and not their individual ip addresses. For instance, I have configure easy vpn to handle IP Phones behind the pix, I also configure dhcp on the client pix so my phones are getting ip on the range of 10.18.16x.x but on my call manager all these phones show as only one ip on the range of 192.168.x.x.

The only difference between client mode and network extension mode is that on client mode they tunnel is up when necessary. In other words, if there is not traficc the tunnel will be down. On network extension mode, the tunnel is up whether or not there is traffic passing through the tunnel.

Let me know if helps.

0 Helpful

jackleung
Level 1
Level 1
In response to rafaelgarcia

‎04-10-2006 06:59 AM

Would another difference be that network extension does not use NAT since both ends can see each other's IP? I guess there shouldn't be security problems since these are two trusted LANs that are looking at each other?

I'll prob be doing network extension for this remote site. Since they all have static IPs assigned at their end, do I need to define that IP range so that my easy vpn server will accept them? Something like permit rule here:

crypto isakmp client configuration group VPNGROUP

??? permit [remote ip address range]???

key PASSWORD

dns x.x.x.x x.x.x.x

wins x.x.x.x x.x.x.x

domain SERVERSIDEDOMAIN

pool VPNPOOL

Thanks for your help in advance.

0 Helpful
Customers Also Viewed These Support Documents