cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
618
Views
0
Helpful
9
Replies
Highlighted
Beginner

EasyVPN 5505 as client

Hi I have ASA5505 in EasyVPN client mode with NEM, which terminates over publick network to ASA5585(EasyVPN server). On ASA5505 I have two ISP, SLA - which monitor my ISP1 and in case it fail, new default route installs to ISP2(vlan2), but VPN tunnel over ISP2(interface vlan3) link does not comes UP.

interface Vlan1

nameif inside

security-level 100

ip address 10.11.248.50 255.255.255.0

!

interface Vlan2

no forward interface Vlan3

nameif outside

security-level 0

ip address 19x.18x.21x.242 255.255.255.252

!

interface Vlan3

nameif backup

security-level 2

ip address 9x.2x.2x.7x 255.255.255.252

From my perspective it happens because EasyVPN client can ONLY make VPN tunnel if traffic go from interface with highest security level(Vlan 1 in my case) to lowest (vlan 2 in my case). Is there any ways to use this EasyVPN technology on client device with redundant ISPs?

9 REPLIES 9
Highlighted
Cisco Employee

You can try to change your backup interface to have the same security level as the outside. There is no reason to have different security level as you are not passing traffic between the outside and the backup interface anyway.

Highlighted

As you can see below, for some reason it can't

KRD-UKGK(config)# int vlan 3

KRD-UKGK(config-if)# secu

KRD-UKGK(config-if)# security-level 0

ERROR: This configuration cannot be modified with Cisco Easy VPN Remote enabled.

KRD-UKGK(config-if)# exi

KRD-UKGK(config)# no vpncli

KRD-UKGK(config)# no vpnclient ena

KRD-UKGK(config)# no vpnclient enable

KRD-UKGK(config)# int vlan 3

KRD-UKGK(config-if)# security-level 0

KRD-UKGK(config-if)# exi

KRD-UKGK(config)#  vpnclient enable

ERROR: Unable to determine Easy VPN Remote internal and external interfaces: multiple interfaces with the same security levels.

KRD-UKGK(config)# exi

KRD-UKGK# sh run | i vpn

vpnclient server 19x.1x.1x0.5

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup ut password *****

vpnclient username ut password *****

webvpn

KRD-UKGK# conf t

KRD-UKGK(config)# int vlan 3

KRD-UKGK(config-if)# se

KRD-UKGK(config-if)# secu

KRD-UKGK(config-if)# security-level 3

KRD-UKGK(config-if)# exi

KRD-UKGK(config)#  vpnclient enable

KRD-UKGK(config)# exi

KRD-UKGK#

Highlighted

OK, pls kindly change the security level back to the original value, ie: 2.

You would also need to configure "backup interface" command on the outside interface to identify that the "backup" interface is the backup.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/b.html#wp1359012

Highlighted

Strange thing but I have no this comman under interface level CLI. May be it's because of my licence

Licensed features for this platform:

Maximum Physical Interfaces    : 8

VLANs                          : 3, DMZ Restricted

Inside Hosts                   : Unlimited

Failover                       : Disabled

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

SSL VPN Peers                  : 2

Total VPN Peers                : 10

Dual ISPs                      : Disabled

VLAN Trunk Ports               : 0

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has a Base license.

Highlighted

With Easy VPN, you would need the "backup interface" command, however, with that command, you would need to have "Security plus" license because it needs to become a full interface instead of partial interface where it can only forward traffic to one other interface.

Let's try this final option:

interface Vlan2

nameif outside

backup interface vlan 3

security-level 0

ip address 19x.18x.21x.242 255.255.255.252

!

interface Vlan3

nameif backup

no forward interface Vlan2

security-level 2

ip address 9x.2x.2x.7x 255.255.255.252

Highlighted

Hi, I just don't have this

backup interface vlan 3

command under interface configuration mode

Also I want to ask you, in this url which you provide to me I see this:

The Security Plus license no longer limits the  number of VLAN interfaces to 3 for normal traffic, 1 for a backup  interface, and 1 for failover; you can now configure up to 20 interfaces  without any other limitations. Therefore the

backup interface

command is not required to enable more than 3 interfaces.

My questios is: Why I need SecPLUS license to enable(backup interface)  if this command (backup interface
) does not requare to enable more than 3 interfaces.

Highlighted

You would need it for Easy VPN as stated further down the line:

.

"When you configure Easy VPN with the backup interface command, if the backup interface becomes the primary, then the adaptive  security appliance moves the VPN rules to the new primary interface."

What version of ASA are you running?

Highlighted

UKGK# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

UKGK up 1 day 12 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0    : address is 442b.037a.0c6f, irq 11

1: Ext: Ethernet0/0         : address is 442b.037a.0c67, irq 255

2: Ext: Ethernet0/1         : address is 442b.037a.0c68, irq 255

3: Ext: Ethernet0/2         : address is 442b.037a.0c69, irq 255

4: Ext: Ethernet0/3         : address is 442b.037a.0c6a, irq 255

5: Ext: Ethernet0/4         : address is 442b.037a.0c6b, irq 255

6: Ext: Ethernet0/5         : address is 442b.037a.0c6c, irq 255

7: Ext: Ethernet0/6         : address is 442b.037a.0c6d, irq 255

8: Ext: Ethernet0/7         : address is 442b.037a.0c6e, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces    : 8

VLANs                          : 3, DMZ Restricted

Inside Hosts                   : Unlimited

Failover                       : Disabled

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

SSL VPN Peers                  : 2

Total VPN Peers                : 10

Dual ISPs                      : Disabled

VLAN Trunk Ports               : 0

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has a Base license.

Highlighted

Same thing on other 5505 ASA with different software (there is no BACKUP command)

SPB-Developer1(config)# int vlan 2

SPB-Developer1(config-if)# ba

SPB-Developer1(config-if)# ba?

configure mode commands/options:

  banner

SPB-Developer1(config-if)# exi

SPB-Developer1(config)# exi

SPB-Developer1# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(3)

Device Manager Version 6.4(7)

Compiled on Fri 06-Jan-12 10:24 by builders

System image file is "disk0:/asa843-k8.bin"