Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
4
Replies

EzVPN over PPOE

Go to solution
Taurus
Level 1
Level 1

‎02-28-2020 06:02 AM

Hello Dear Fellows

 

I was hoping you could help me on the problem that I have configuring EZVPN using PPOE connection

 

I am trying to configure an EZVPN over PPOE onone  of our remote locations.

I'm using Cisco 891F as client and it will connect to the HQ's ASA Firewall as server

I would highly appreciate it if you could take a look and see if my configuration is right .

 

interface Loopback0
ip address 10.10.10.1 255.255.255.252
crypto ipsec client ezvpn ASA_VPN_EzVPN inside
!
interface Vlan1
ip address 192.168.129.1 255.255.0.0
ip helper-address 10.2.15.34
ip helper-address 172.16.1.240
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn ASA_VPN_EzVPN inside
!

!

interface GigabitEthernet4
description connected to Internet
pppoe enable group global
pppoe-client dial-pool-number 1
no ip address
ip access-group INBOUND in
ip access-group OUTBOUND out
duplex auto
speed auto
crypto ipsec client ezvpn ASA_VPN_EzVPN
!

!
interface dialer 1
ip address negotiated
ip mtu 1400
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap username kaleru34@bellnet.ca
ppp chap password kaleru34

!

!
dialer-list 1 protocol ip permit
ip nat inside source list LAN interface dialer 1 overload
ip route 0.0.0.0 0.0.0.0 dialer 1

!

!
crypto isakmp key 6 hostname 64.235.56.44
!

!
crypto ipsec client ezvpn ASA_VPN_EzVPN
connect auto
group ASA_VPN_EzVPN key
mode network-extension
peer 64.235.56.44
username ezvcam170@company.com password 6
xauth userid mode local

!

!

ip access-list extended INBOUND
permit ip 205.236.110.0 0.0.0.255 any
permit ip 205.236.113.0 0.0.0.255 any
permit ip 205.236.112.0 0.0.0.255 any
permit ip host 64.235.211.40 any
permit udp any eq non500-isakmp any eq non500-isakmp
permit udp any eq isakmp any eq isakmp
permit esp any any
permit ahp any any
permit udp any eq bootps any eq bootpc
permit udp any eq domain any
permit tcp any eq domain any
evaluate TRAFFIC
deny ip any any log

 

ip access-list extended LAN
permit ip 192.168.20.100 0.0.255.255 any

 

ip access-list extended OUTBOUND
permit ip any any reflect TRAFFIC timeout 300

--------------------------------------------------------------

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-03-2020 12:37 PM

Hi,

 

    Looks good, as long as groups, users, passwords are correct. Also, the EzvpN outside interface, where crypto is applied, should be the IP enabled interface (Dialer1) and not the layer2 PPP interface (Gig4).

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎02-28-2020 08:03 AM

Hi,
What is the actual issue exactly? Has the VPN established?
Can you provide the output of "show crypto isakmp sa" and "show crypto ipsec sa" from the router
Can you provide the ASA configuration?
0 Helpful

Go to solution
Taurus
Level 1
Level 1
In response to Rob Ingram

‎03-02-2020 05:41 AM

Hi RJI , Thanks for your response

The ASA Configuration part is as bellow

The problem is this client is supposed to be installed on one of our remote locations

and I cannot test the connectivity right now to procive show crypto output


interface GigabitEthernet0/2
nameif Outside
security-level 0
ip address 245.236.119.240 255.255.255.240

interface GigabitEthernet0/1
nameif inside1
security-level 100
ip address 110.2.15.150 255.255.0.0
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
ospf mtu-ignore

route outside0 0.0.0.0 0.0.0.0 64.235.211.40 1

crypto ikev1 policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

access-list ASA_VPN_EzVPN_split remark The corporate network behind the ASA
access-list ASA_VPN_EzVPN_split standard permit 245.236.119.240 255.255.255.0

group-policy ASA_VPN_EzVPN internal
group-policy ASA_VPN_EzVPN attributes
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-policy tunnelall
split-tunnel-network-list value ASA_VPN_EzVPN_split
default-domain value nt.tstoverland.com

tunnel-group ASA_VPN_EzVPN type remote-access
tunnel-group ASA_VPN_EzVPN general-attributes
authentication-server-group NPS-Servers
default-group-policy NOACCESS
tunnel-group ASA_VPN_EzVPN ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 20 retry 5

crypto dynamic-map dynmap1 65535 set pfs
crypto dynamic-map dynmap1 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map dynmap1 65535 set reverse-route

crypto map Outside_map 65535 ipsec-isakmp dynamic dynmap1
crypto map Outside_map interface Outside
crypto ikev1 enable Outside

username XX password privilege 0
username XX attributes
vpn-group-policy vpn3002a
vpn-framed-ip-address 192.168.129.1 255.255.0.0
service-type remote-access

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-03-2020 12:37 PM

Hi,

 

    Looks good, as long as groups, users, passwords are correct. Also, the EzvpN outside interface, where crypto is applied, should be the IP enabled interface (Dialer1) and not the layer2 PPP interface (Gig4).

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
Taurus
Level 1
Level 1
In response to Cristian Matei

‎03-03-2020 01:59 PM

Hi Cristian

Thanks for you replay , So I should remove crypto ipsec cleint ezvpn from Gig4 right?

0 Helpful
Customers Also Viewed These Support Documents