06-24-2009 06:30 AM
Hi everyone
I am having the challenge of installing EasyVPN based on ASA 5520 and ASA 5505 (with the ASA5505 as the vpnclient) with multiple networks behind the ASA 5505.
Access from the network attached directly on the 5505 to the central site works just fine.
But the second network-segment (which is behind a router on the directly-attached network) cannot connect to the central site.
I guess i have to specify some kind of acl's to be able to do this.
Btw we do not use split-tunneling, because all traffic is traveling through the tunnel (no local internet access).
The Layout looks like this
(--LAN--)-5520-- -(WAN)- --5505-(--LAN1--)-ROUTER-(--LAN2--)
Connection from LAN1 to LAN does work splendid through the EZVPN Tunnel.
Connection from LAN2 to LAN does not work through the EZVPN Tunnel.
Here is the config used so far (besides the normal NONAT, Object-Groups, crypto and ISAKMP stuff):
Client:
vpnclient server 10.x.x.x
vpnclient mode network extension-mode
vpnclient vpngroup EzVPN password ****
vpnclient username user1 password ****
vpnclient enable
crypto ipsec df-bit clear-df outside
Server:
group-policy EzVPN internal
group-policy EzVPN attributes
nem enable
password-storage enable
tunnel-group EzVPN type ipsec-ra
tunnel-group EzVPN general attributes
default-group-policy EzVPN
tunnel-group EzVPN ipsec-attributes
pre-shared-key ****
user user1 password ***
I hope you can help
Best Regards
Jarle
Solved! Go to Solution.
06-24-2009 12:28 PM
Unfortunately, this is not supported on the ASA platform. With EasyVPN on the ASA, only connected networks can be advertised. To accomplish what you want to do, you will need to configure a static IPSec tunnel and advertise the local networks via interesting traffic ACL. Alternatively, you could use an IOS device which does have "multiple subnet" capabilities with EasyVPN.
06-24-2009 12:28 PM
Unfortunately, this is not supported on the ASA platform. With EasyVPN on the ASA, only connected networks can be advertised. To accomplish what you want to do, you will need to configure a static IPSec tunnel and advertise the local networks via interesting traffic ACL. Alternatively, you could use an IOS device which does have "multiple subnet" capabilities with EasyVPN.
06-24-2009 01:02 PM
Hi everybody.
This is not supported. It is a limitation to the ASA - > Use any EzVPN Router.
Greetings
Jarle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide