Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1391
Views
10
Helpful
5
Replies

ASA Easy VPN remote and multiple subnets

jmcburnett
Level 1
Level 1

‎01-13-2016 09:05 AM

I've been reading changes in EASY VPN remote/server for the ASA and I don't see a clear answer regarding multiple VLANS.

I have multiple VLANS behind an ASA and want them all to connect across an EASY VPN Remote connection.

If this is correct who has a config sample for this or a link?

It should just be an ACL and usable via vpn remote.

Thanks,

Jim

Labels:
0 Helpful
5 Replies 5

rvarelac
Level 7
Level 7

‎01-13-2016 03:03 PM

Hi ,

According to the documentation. This might apply to your case. 

NEM with Multiple Interfaces

If you have an ASA 5505 security appliance (version 7.2 (3) and higher) configured as an Easy VPN Client in Network Extension Mode with multiple interfaces configured, the security appliance builds a tunnel for locally encrypted traffic only from the interface with the highest security level.

For example, consider the following configuration:

vlan1 security level 100 nameif inside
vlan2 security level 0 nameif outside
vlan12 security level 75 nameif work


In this scenario, the security appliance builds the tunnel only for vlan1, the interface with the highest security level. If you want to encrypt traffic from vlan12, you must change the security level of interface vlan1 to a lower value than that of vlan 12.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/ezvpn505.html#wp1025408

Is there any special reason to use EzVPN instead a regular Site-to-Site VPN ? 

Hope it helps

-Randy-

mvsheik123
Level 7
Level 7
In response to rvarelac

‎01-13-2016 07:14 PM

Hi Jim,

In addition to what Randy mentioned, with 5505 as EasyVPN client, multiple vlans sitting behind ASA- will not work. Only directly connected Vlans work. The other option is use router (ex:800) as client. That works for this scenario.

hth

MS

jmcburnett
Level 1
Level 1
In response to mvsheik123

‎01-14-2016 08:50 AM

Cisco TAC just told me that this will work with the latest code..

I am waiting for the details...

0 Helpful

mvsheik123
Level 7
Level 7
In response to jmcburnett

‎01-14-2016 05:15 PM

Thanks for the rating. Please post details once confirmed (on 5505).Interested to know.

Thx

MS

0 Helpful

jmcburnett
Level 1
Level 1
In response to rvarelac

‎01-14-2016 06:43 AM

I talked to one of the CCIE's at the local Cisco office and he told me that was fixed..

This link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/asdm75/vpn/asdm-75-vpn-config/vpn-easyvpn.pdf

Has a section about NEM that mentions HOSTS on inside networks.. I guess I need to test this theory.

Easy VPN over regular static VPNs for scale and change control.. This would allow for head end change and re-auth of the VPN without changing EVERY remote site..

It may just become a DMVPN solution...

0 Helpful
Customers Also Viewed These Support Documents