Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2811
Views
0
Helpful
10
Replies

ASA 5505 Easy VPN to ASA 5510 Question

danmadsen
Level 1
Level 1

‎09-06-2011 10:24 AM

I am working on configuring ASA 5505's for some of our remote offices to connect to our 5510 at HQ.. I have the 5505's configured and running using Easy VPN since they will be getting their IP addresses dynamically.

From a computer connected to the ASA I can connect to and ping all of my servers at HQ. From HQ I can't ping the computer or RDP to it.

I haven't done this type of a config in years so I'm unsure of what I need to change. It seems to me that the routes aren't populating at the HQ to get to the 5505's. I was reading up on Reverse Route Injection and that seems like the right answer. I wanted to get some other ideas before I made any changes to the 5510.

Any thoughts or tips would be appreciated.

Thanks

Labels:
0 Helpful
10 Replies 10

raga.fusionet
Level 4
Level 4

‎09-06-2011 11:14 AM

Are you using Network Extension Mode or Client mode?

In order to get from the HQ to the branch you need to use NEM.

Here is a config example in case you want to compare it against your current config:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

Reverse Router Injection works if you are running a Routing protocol at the HQ and you want to inject routes to the remote sites as Static Routes into your routing protocol via the ASA at the HQ.

Have a good one.

Raga

0 Helpful

danmadsen
Level 1
Level 1
In response to raga.fusionet

‎09-06-2011 11:24 AM

Thanks for the info Luis, I'll check the settings tonight and make sure I am using NEM.

0 Helpful

danmadsen
Level 1
Level 1
In response to danmadsen

‎09-06-2011 08:59 PM

OK, so one problem solved and another created. I configured NEM on the 5505 and the 5510. VPN will now connect, unfortunately I am now getting a routing error.

When I connect a computer to the ASA 5505 it says no internet access. I have deleted and recreated the Easy VPN configs and the problem persists.

Thanks

0 Helpful

raga.fusionet
Level 4
Level 4
In response to danmadsen

‎09-07-2011 06:37 AM

I assumme you are not using split tunneling. Otherwise the remote ASA should be able to route the Internet traffic using it's own ISP.

If you dont want to enable split tunneling then you would need to do something like this at the HQ

same-security-traffic permit intra-interface

nat (outside) 1 192.168.10.0 255.255.255.0

You would need to replace 192.168.10.0 with the subnet at the remote location. This would NAT the traffic from the remote office and send it out to the Internet.

0 Helpful

danmadsen
Level 1
Level 1
In response to raga.fusionet

‎09-07-2011 08:09 AM

Unfortunately I do have split tunneling configured and it's not working. The VPN will create the tunnel, but it looks like no traffic is being routed.

To simplify the programming I used the same address pool and split tunnel config that we use for our vpn clients on laptops. I figured since this configuration was already working I would utilize it. Should I be creating a unique address pool and split tunnel config for the ASA 5505's to use?

Thanks for your help on this. I only work on these things every couple of years so my experience is rather limited. I'm beginning to think they may want to rename Easy VPN.

0 Helpful

raga.fusionet
Level 4
Level 4
In response to danmadsen

‎09-07-2011 08:21 AM

I'm sorry but you just said that you are using the same Pool, did you go back to client mode instead of NEM?

Why dont you share your configs with us to see if we find anything wrong.

And yeah I totally agree with you about the "EZ" part on EZVPN...

0 Helpful

danmadsen
Level 1
Level 1
In response to raga.fusionet

‎09-07-2011 09:56 AM

I am still using NEM. When I used the Ipsec wizard on the 5510 it had me select a pool during the configuration. I already have vpn clients connecting using the 5510. So I used the same pool and split tunnel information as the vpn clients.

Should that have changed when I changed to NEM?

0 Helpful

raga.fusionet
Level 4
Level 4
In response to danmadsen

‎09-07-2011 10:15 AM

Well when you use NEM you dont have an IP associated with the site, that is why you dont need a pool.

Now that you mentioned it you do need a separate group and group policy for the remote ASA since it requires a different config than the rest of the VPN clients (No IP Pool & NEM enabled).

0 Helpful

danmadsen
Level 1
Level 1
In response to raga.fusionet

‎09-08-2011 06:55 AM

Alright, I made the changes and still no joy. Tonight I'm going to go back to the original config for client mode and deal with the remote issue in another way. This is way too much work for something as simlpe as getting one Cisco VPN device to communicate with another Cisco VPN device.

I appreciate you taking the time to help me.

Thanks

0 Helpful

raga.fusionet
Level 4
Level 4
In response to danmadsen

‎09-08-2011 07:36 AM

Dan,

EzVPN might get funky sometimes. Have you looked into something like a "dynamic to static Lan to Lan" ?

If you are using EzVPN on the branch becuase you have a dynamic IP, you might want to give it a shot.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

The config example uses a PIX 6.3 as remote, but the configuration on the remote site should be the same as any other L2L config. The one that changes is the one at the HQ where you need to configure a Default L2L group to accept the dynamic connections.

Have a good one.

Raga

0 Helpful
Customers Also Viewed These Support Documents