Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1214
Views
0
Helpful
2
Replies

Traffic not routing between remotes using ezVPN with NEM

Go to solution
Matthew Spire
Level 1
Level 1

‎06-28-2012 11:59 AM

I've been scouring the forums for a while now looking for ways to fix this one but just can't find anything that helps.  I have ezVPN configured on an ASA 5520 for my server with 5505s as my clients at several remote sites.  The tunnels come up no problem and I can hit everything I need to on both sides of the tunnel, but I'm not able to get to another remote network from a remote network.  The traffic goes out the tunnel on the 5505 but on the 5520 all I see is a bunch of scrolling tear down messages.  Any thoughts would be greatly appreciated.

Hub side

interface GigabitEthernet0/0

nameif Inside_Network

security-level 100

ip address 10.0.0.1 255.255.255.252

!

interface GigabitEthernet0/3

nameif Outside_Network

security-level 0

ip address 192.168.32.8 255.255.255.0

!

same-security-traffic permit inter-interface

!

router eigrp 10

network 10.0.0.0 255.255.255.0

redistribute static

!

crypto ipsec ikev1 transform-set my-set esp-aes-256 esp-sha-hmac

crypto dynamic-map ezvpn 30 set ikev1 transform-set my-set

crypto dynamic-map ezvpn 30 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic ezvpn

crypto map outside_map interface Outside_Network

crypto ikev1 enable Outside_Network

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

!

group-policy VPN_GP internal

group-policy VPN_GP attributes

vpn-idle-timeout none

nem enable

!

username vpnuser password Wj0QXCAEhK12A5Sp encrypted privilege 0

!

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

default-group-policy JEOD_VPN_GP

tunnel-group VPN ipsec-attributes

ikev1 pre-shared-key *****

Remote Side - Not much needed here

vpnclient server 192.168.32.8

vpnclient mode network-extension-mode

vpnclient vpngroup VPN password *****

vpnclient username vpnuser password *****

vpnclient enable

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rohaverm
Level 1
Level 1

‎07-10-2012 12:53 PM

Remote EzVPN clients are able to connect to the Headend ASA5520 but cannot communicate among themselves. Is it correct understanding?

Are all the EzVPN clients terminated on different outside physical interface of the ASA? If not then we will have to permit traffic intra-interface too along with inter-inerface i.e. same-security-traffic permit intra-inerface.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rohaverm
Level 1
Level 1

‎07-10-2012 12:53 PM

Remote EzVPN clients are able to connect to the Headend ASA5520 but cannot communicate among themselves. Is it correct understanding?

Are all the EzVPN clients terminated on different outside physical interface of the ASA? If not then we will have to permit traffic intra-interface too along with inter-inerface i.e. same-security-traffic permit intra-inerface.

0 Helpful

Go to solution
Matthew Spire
Level 1
Level 1
In response to rohaverm

‎07-11-2012 10:40 AM

You understood correctly.  They are all being terminated on the same outside interface and the intra-interface worked like a charm.  Thanks.  I knew it would be something simple in the end.

0 Helpful
Customers Also Viewed These Support Documents