Hi All

I have a customer who has purchased the new ASA5506W (with Built-in AP) Firewalls and needs to configure EzVPN on them to a Head Office site. The EzVPN feature was removed initially from the ASA5506 series Firewalls but will be returning in IOS release 9.5 which is due to be release soon. My question however is not around the ASA5506 supporting EzVPN it is the following:

The EzVPN feature only supports connected networks accessing the head office LAN from the VPN Client (Remote EzVPN FW) so if one has a scenario where there are multiple VLAN's behind the remote EzVPN FW any Network Segment which is not directly connected will not be able to access the Head Office LAN - see the following post for an explanation of the issue - https://supportforums.cisco.com/discussion/10678416/asa-ezvpn-multiple-remote-subnets.

Now, my question (or solution which I think is a workable workaround) is as follows:

If I create multiple sub-interfaces on the physical interface of the ASA5506 and trunk this interface to the Cisco Switch then my Multiple VLAN's/Segments become directly connected segments and therefore based on the limitation of the EzVPN feature should be able to access the head office LAN or am I mistaken here??

So basically with the limitation of only connected networks being advertised a situation like the one below does not work:

(--HEAD OFFICE LAN--)-->>ASA5520-->>(INTERNET/WAN)<<--5506W-->>(--LAN1--)-ROUTER / L3 SWITCH-(--MULTIPLE VLANS--)

Now my solution (which I think should work) is as follows:

(--HEAD OFFICE LAN--)-->>5520-->>(INTERNET/WAN)<<--5506-->>(--PHYSICAL-INTERFACE ((+MULTIPLE SUB-INTERFACES))--)-->>TRUNK TO SWITCH

Any ideas as to why this thinking would not work?