Replacement of EZvpn client for ISR routers under Internet link unkonwn circumstances

fperez001111 · ‎09-04-2019

Hi Cisco community,

I hope someone could help with this. As you know, Cisco has discontinued the 800 series routers, replacing them with ISR series. These ISR routers does not come with the EZvpn client feature (they come with the server feature only!!!). In my production architecture, this is a mayor issue, as I used the EZvpn client as the way to connect branches with routers behind other NAT devices and sometimes with dynamic public IPs. That magic came to an end with the ISR routers. In the other side of all VPN connections there is a ASA 5508x acting as the EZvpn server. The main problem is the lack of control that I have over the way branches connect to the Internet (I know it sounds weird, but these are the circumstances I face, in other words, I´m not who pays the internet bill in some branches). For the ASA, the situation is very common, one public static IP address to point out, but the branches....well....they find the way to connect through the Internet link no matter what thanks to the EZvpn client. What kind of new magic can I use in the ISR routers to replace the EZvpn client (as far as I know, DMVPN requires the pre-nat addresses fixed and it requires a 1:1 NAT, a huge no-no in my scenario)?

ASA 5508 x(EZvpn server) --->whatever internet link-----> cisco 800 series (EZvpn client)

ASA 5508 x (?) -----> whatever internet link---->ISR routers (?)

Thanks a lot for your help.

balaji.bandi · ‎09-04-2019

As per my knowledge ISR 4K i have tested some time does not have capability as ezvpn client, what model of ISR you have ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

fperez001111 · ‎09-05-2019

I´m using the ISR 1111 router, and yes, they don´t have the ezvpn client feature (which is the root cause of my problem). They only come with the ezvpn server feature. That is why I need an alternative to the ezvpn client on the ISR routers.

thanks for your support.

Rob Ingram · ‎09-05-2019

Hi,
I am not entirely undestanding you, but...

If your headend device is an ASA 5508-X, then that rules out DMVPN. On the ISR 1111 router you could use a static VTI (FlexVPN) to the ASA, spokes would route through the ASA to other spokes. Or replace the ASA with an ISR router then run DMVPN or FlexVPN. As long as the Hub has a static IP address then spokes should be able to dynamically build spoke-to-spoke tunnels if they only had a dynamic public IP address.

HTH

fperez001111 · ‎09-06-2019

Hi RJI,

Yes , It seems dmvpn is not an option. Maybe I can install a router to end the DMvpn tunnels and then connect the ASA, but DMvpn is not compatible with PAT. The part that probably is causing confusion is the WAN private address, so I can illustrate it better:

BRANCH CENTRAL OFFICE

LAN--Router---------------Router (third party router)-----...…..Internet...…---------------ASA----------LAN

| | |

(dynamic private address) (public dynamic IP address) (public static IP address)

As you can see, my router´s WAN will have a private IP address assigned by other router (which It is managed by others, so I can't do anything on it). This third party router will connect to the Internet with a public dynamic IP address. The ASA at the central office will have an public static Ip address. As you can see, the problem is that the typical tunnel interfaces will not help as my router doesn´t have a public routable IP address in the WAN interface and depends on the NAT process of the third party router. That was the magic of EZvpn, no matter what, the VPN was established between the router and the ASA.I don´t know if I can do something similar with FlexVPN.

Thanks for your support.

Philip D'Ath · ‎09-06-2019

DMVPN can run with spokes behind a NAT device.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-16-10/sec-conn-dmvpn-xe-16-10-book/sec-conn-dmvpn-dt-spokes-b-nat.pdf

My experience is that this is not always reliables. Sometimes it wil be running fine for a month and then break. Sometimes a week.

Meraki MX AutoVPN works perfectly when both nodes are behind NAT and is a million times simpler to configure. You really should re-look at this solution. To get started you just need to put an MX behind your ASA in VPN concentrator mode, and then you can start using MX's at your remote spoke sites.

Philip D'Ath · ‎09-04-2019

The technology you are using now is - pre-historic.

Personally, I would make a big jump to the future and change over to using Cisco Meraki SD-WAN using MX appliances.

https://meraki.cisco.com/products/appliances#sd-wan?ref=2tGdu8S

https://meraki.cisco.com/products/appliances

The Cisco Meraki product line is a significant jump forward in technology from what you have - so you may experience some culture shock.

It is not compatible with what you have now, so you will need to do a side-by-side migration. basically put an MX at your HQ first next to the ISR/ASA, and then you can slowly move remote sites across to using an MX.

You wont regret the change once you see the huge amount of things you are missing now.

fperez001111 · ‎09-05-2019

Hi Philip,

Unfortunately, I am tied to that infrastructure due budget limitations. Moreover, I don't like the periodic Meraki license payment kind of thing (I suppose I´m also a little old fashion). Is there any option for the current infrastructure I have (maybe dmvpn or flexvpn in some sort of topology/configuration)?

thanks for your support.