02-28-2020 06:02 AM
Hello Dear Fellows
I was hoping you could help me on the problem that I have configuring EZVPN using PPOE connection
I am trying to configure an EZVPN over PPOE onone of our remote locations.
I'm using Cisco 891F as client and it will connect to the HQ's ASA Firewall as server
I would highly appreciate it if you could take a look and see if my configuration is right .
interface Loopback0
ip address 10.10.10.1 255.255.255.252
crypto ipsec client ezvpn ASA_VPN_EzVPN inside
!
interface Vlan1
ip address 192.168.129.1 255.255.0.0
ip helper-address 10.2.15.34
ip helper-address 172.16.1.240
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn ASA_VPN_EzVPN inside
!
!
interface GigabitEthernet4
description connected to Internet
pppoe enable group global
pppoe-client dial-pool-number 1
no ip address
ip access-group INBOUND in
ip access-group OUTBOUND out
duplex auto
speed auto
crypto ipsec client ezvpn ASA_VPN_EzVPN
!
!
interface dialer 1
ip address negotiated
ip mtu 1400
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap username kaleru34@bellnet.ca
ppp chap password kaleru34
!
!
dialer-list 1 protocol ip permit
ip nat inside source list LAN interface dialer 1 overload
ip route 0.0.0.0 0.0.0.0 dialer 1
!
!
crypto isakmp key 6 hostname 64.235.56.44
!
!
crypto ipsec client ezvpn ASA_VPN_EzVPN
connect auto
group ASA_VPN_EzVPN key
mode network-extension
peer 64.235.56.44
username ezvcam170@company.com password 6
xauth userid mode local
!
!
ip access-list extended INBOUND
permit ip 205.236.110.0 0.0.0.255 any
permit ip 205.236.113.0 0.0.0.255 any
permit ip 205.236.112.0 0.0.0.255 any
permit ip host 64.235.211.40 any
permit udp any eq non500-isakmp any eq non500-isakmp
permit udp any eq isakmp any eq isakmp
permit esp any any
permit ahp any any
permit udp any eq bootps any eq bootpc
permit udp any eq domain any
permit tcp any eq domain any
evaluate TRAFFIC
deny ip any any log
ip access-list extended LAN
permit ip 192.168.20.100 0.0.255.255 any
ip access-list extended OUTBOUND
permit ip any any reflect TRAFFIC timeout 300
--------------------------------------------------------------
Solved! Go to Solution.
03-03-2020 12:37 PM
Hi,
Looks good, as long as groups, users, passwords are correct. Also, the EzvpN outside interface, where crypto is applied, should be the IP enabled interface (Dialer1) and not the layer2 PPP interface (Gig4).
Regards,
Cristian Matei.
02-28-2020 08:03 AM
03-02-2020 05:41 AM
Hi RJI , Thanks for your response
The ASA Configuration part is as bellow
The problem is this client is supposed to be installed on one of our remote locations
and I cannot test the connectivity right now to procive show crypto output
interface GigabitEthernet0/2
nameif Outside
security-level 0
ip address 245.236.119.240 255.255.255.240
interface GigabitEthernet0/1
nameif inside1
security-level 100
ip address 110.2.15.150 255.255.0.0
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
ospf mtu-ignore
route outside0 0.0.0.0 0.0.0.0 64.235.211.40 1
crypto ikev1 policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
access-list ASA_VPN_EzVPN_split remark The corporate network behind the ASA
access-list ASA_VPN_EzVPN_split standard permit 245.236.119.240 255.255.255.0
group-policy ASA_VPN_EzVPN internal
group-policy ASA_VPN_EzVPN attributes
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-policy tunnelall
split-tunnel-network-list value ASA_VPN_EzVPN_split
default-domain value nt.tstoverland.com
tunnel-group ASA_VPN_EzVPN type remote-access
tunnel-group ASA_VPN_EzVPN general-attributes
authentication-server-group NPS-Servers
default-group-policy NOACCESS
tunnel-group ASA_VPN_EzVPN ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 20 retry 5
crypto dynamic-map dynmap1 65535 set pfs
crypto dynamic-map dynmap1 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map dynmap1 65535 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic dynmap1
crypto map Outside_map interface Outside
crypto ikev1 enable Outside
username XX password privilege 0
username XX attributes
vpn-group-policy vpn3002a
vpn-framed-ip-address 192.168.129.1 255.255.0.0
service-type remote-access
03-03-2020 12:37 PM
Hi,
Looks good, as long as groups, users, passwords are correct. Also, the EzvpN outside interface, where crypto is applied, should be the IP enabled interface (Dialer1) and not the layer2 PPP interface (Gig4).
Regards,
Cristian Matei.
03-03-2020 01:59 PM
Hi Cristian
Thanks for you replay , So I should remove crypto ipsec cleint ezvpn from Gig4 right?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide