Help with ASA EzVPN configuration

Colin Higgins · ‎02-14-2014

I have a remote 1921 router that I am trying to connect to a Cisco ASA 5540 (running 8.2 code), but I am having problems.

According to this document, a split-tunnel policy is defined

http://www.alfredtong.com/cisco/cisco-ezvpn-cisco-asa-and-ios-router/

access-list EZVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.240.0.0

split-tunnel-network-list value EZVPN_SPLIT_TUNNEL

In my network, the remote subnet behind the 1921 is 172.30.201.0 /27
This will connect to two hosts behind the ASA (172.25.32.182 & 183)

How do I specify this split tunnel in that scenario?

My other problem is that I already have a dynamic crypto map specified on the ASA with the parameters

crypto map outside_map 65535 (for a different VPN)

My new map for the EzVPN reads

crypto dynamic-map outside_new_map 20 set pfs group1

crypto dynamic-map outside_new_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_new_map 20 match address ezvpn

crypto map outside_map 65534 ipsec-isakmp dynamic outside_new_map

But it looks like the EzVPN client is trying to use 65535 by default and main mode is failing.
Is there some way around this? Some way to specify the sequence number?

Any advice would be great!

Colin Higgins · ‎02-14-2014

OK, one update on this

Looks like I have the sequence number issue corrected. The tunnel does come up, and the remote host at 172.30.201.4 and ping the internal host at 172.25.32.182

however, the 172.25.32.182 host cannot ping back to the remote client. I have a NAT exemption in on the firewall

access-list inside_nat0_outbound extended permit ip host 172.25.32.182 172.30.201.0 255.255.255.240

and the ACL that specifies the interesting traffic

access-list ezvpn extended permit ip 172.25.32.182 255.255.255.255 172.30.201.0 255.255.255.240

But when the host 172.25.32.182 tries to ping the remote VPN client, I get an "expired in transit" message

something I forgot to do here? Not sure why it is doing this