Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1497
Views
0
Helpful
3
Replies

EzVPN Client and Site-to-Site IPSec VPN on a single ISR 891 router

walberty
Level 1
Level 1

‎08-28-2016 07:33 PM - last edited on ‎02-21-2020 11:56 PM by Community Manager

We have a Cisco 891 configured as an EzVPN client to a service provider gateway.  We have a requirement to provision a second VPN tunnel to an ASA 5512X.  We would like to use a standard site-to-site IPsec VPN for the second tunnel to the ASA5512X.  This is in part because the ASA has a simple configuration with one other Site-to-Site VPN and I did not want to add the complexity of an EzVPN server component to it.  Can I run both the ExVPN client and a site-to-site VPN on the ISR 891?  Has anyone done this and if so are there any configuration examples?

Labels:
Preview file
172 KB
0 Helpful
3 Replies 3

Terence Payet
Level 1
Level 1

‎08-28-2016 11:23 PM

Hi,

One thing to point out. Please avoid using your real ip in configurations or diagram as this my pose a security risk.

Anyway, yes you can. Just create another sequence of the same crypto map currently applied on your WAN interface as per below config example:

cisco 891

interface fa0/0

ip add x.x.x.x x.x.x.x

crypto map EzVPN 

!

crypto map EzVPN 20 ipsec-isakmp

   set peer

   set transform-set

   match address 

If you need a complete config template. Let me know.

HTH.

Regards,

Terence

0 Helpful

walberty
Level 1
Level 1
In response to Terence Payet

‎08-29-2016 01:24 AM

Thanks Terence.  I found an article with a similar configuration to yours.  However the existing EzVPN we have inherited is different (I will upload an example tomorrow).  I have configured it with two crypto map statement on the outside interface (see below).  Hopefully I can test in my lab over the next day or so.

!
interface GigabitEthernet0/0
 ip address 3.3.3.3 255.255.255.224
...

 crypto ipsec client ezvpn aap00246 outside

 crypto map vpnmap

!

Watie

0 Helpful

walberty
Level 1
Level 1
In response to walberty

‎09-04-2016 05:42 PM

Terrance, 

I have successfully configured and tested this solution in my lab using and ASA5510 for the original EzVPN server (9.1(2)), a ASA 5506 (9.3(2)2) for the IPsec VPN tunnel remote, and a 1941W (15.1(3)T) for the client with both the EzVPN and IPsec Site-to-Site tunnels configuration.  Although the firmware versions vary somewhat with the production ASAs and 891 router, this configuration should work, and I will be deploying this afternoon.

There did not seem to be any overlapping conflicts or issues with the two configurations on the router.  Do to some subnet overlapping between the original EzVPN configuration and the new one (which was more specific), it was necessary to sequence the noNAT statements and the crypto map statements accordingly based on client priorities of the two VPNs and the preferred routing policies.

Watie

0 Helpful
Customers Also Viewed These Support Documents