Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
0
Helpful
2
Replies

EzVPN send all traffic over tunnel

Steven Williams
Level 4
Level 4

‎09-07-2017 06:17 AM - edited ‎03-12-2019 04:31 AM

First time working with EzVPN, while its easy, I am lacking some understanding of it. 

 

If I have an 881 and I have an EzVPN tunnel to an ASA at another location, how do you force all traffic over the tunnel?? The 881 is getting a dhcp address from a ISP modem, and has a default route to its next hop. So from what I can tell when I run a trace from the 881 to 4.2.2.2 it never hits the peer tunnel address? 

 

So how does EzVPN work when it comes to traffic crossing the tunnel? IPSEC L2L always uses crypto maps so if the traffic doesnt match the crypto, then its not allowed to pass. I dont see the same concept here like I am use to.

Labels:
0 Helpful
2 Replies 2

Steven Williams
Level 4
Level 4

‎09-07-2017 10:53 AM

The ASA itself doesn't run "EzVPN" since it is 8.2...so I would assume it just runs IPSEC vpn and then EzVPN devices terminate as they were "Clients"

 

I can't seem to get this replicated in the lab, partly because I am runnning 8.4 and not 8.2. I am not sure how much difference there is between the two. How does this work with crypto maps when you dont know what the client IP will be?

I would think you have to do some kind of NAT but all I see on the live device is:

 

nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
nat (WAN) 0 access-list WAN_nat0_outbound
nat (WAN) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 0 access-list DMZ2_nat0_outbound
nat (DMZ2) 1 192.168.107.0 255.255.255.0

 

 

Here is my config that I have applied to the ASA:

!

interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.100.1.249 255.255.255.0
!
!
!
object network LAN_INSIDE
subnet 10.100.1.0 255.255.255.0
!
!
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
!
ip local pool Pool 10.99.99.1-10.99.99.99 mask 255.255.255.0
!
group-policy SiteToSite internal
group-policy SiteToSite attributes
dns-server value 10.100.6.205 10.110.6.205
vpn-simultaneous-logins 500
vpn-tunnel-protocol IPSec
default-domain value centerstone.lan
split-tunnel-all-dns enable
nem enable
!
!
!
tunnel-group SiteToSite type remote-access
tunnel-group SiteToSite general-attributes
address-pool Pool
default-group-policy SiteToSite
authentication-server-group LOCAL
tunnel-group SiteToSite ipsec-attributes
ikev1 pre-shared-key SomePassWord1
!
crypto dynamic-map dyn1 1 set ikev1 transform-set set1
!
crypto map OUTSIDE_MAP 1 ipsec-isakmp dynamic dyn1
crypto map OUTSIDE_MAP interface outside
!
crypto ikev1 enable outside
!
username SiteToSite password SomePassWord1
username SiteToSite attributes
vpn-group-policy SiteToSite
vpn-simultaneous-logins 200
password-storage enable
!
!
!
object-group network INSIDE_NETWORK
network 10.100.1.0 255.255.255.0
!
object network LAN_INSIDE
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

 

 

EzVPN client config is straight from a working unit so I know thats good. But there must be something wrong with my ASA config. 

 

 

0 Helpful

Michael Muenz
Level 5
Level 5
In response to Steven Williams

‎09-09-2017 11:05 PM

Just use the wizard via ASDM to add clients. 

I'm running an ASA with over 100 EasyVPN clients (Client = 88X), and every client get's an own group/profile to differentiate. Via group you can say tunnel all networks within split-tunneling.

Michael Please rate all helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents