SlideShare uma empresa Scribd logo

Cisco ez vpn easy vpn

Transferir como DOCX, PDF
IT Tech
IT Tech

Cisco ez vpn easy vpn.

Tecnologia
1 de 4
Cisco EzVPN – EASY VPN A Cisco EZVPN client is basically hardware VPN client that is always ON. It helps simplify deployment of branch locations where their public IP is handed out by a DHCP server and constantly changes. Today I’m setting up a Cisco EzVPN (Easy VPN) between a Cisco ASA5505 and a Cisco 800 Series IOS router in NEM – Network extension mode. The Cisco ASA will be acting as the VPN server and the Cisco router will be the client. EzVPN NEM –Network Extension Mode With NEM, you will be able to reach IPs on the client side of the tunnel from the server where was in CLIENT mode, all traffic is PAT from the client router, thus you will only be able to initiate traffic from the client side. Below is the network diagram I’m using to display my setup. Devices on either end of the tunnel will be able to reach each other bidirectionally. ie. the desktop should be able to ping the laptop and the laptop should also be able to ping the desktop. Cisco ASA EzVPN Server end configuration on ASA OS 8.3+ - First define the client subnet you want to reach using a network object. This is the IP subnet range on the client side. You can then use this object to define your encryption traffic as shown below in the static NAT statement. object network NAT0_EZVPN1 subnet 10.3.201.0 255.255.255.0 nat (INSIDE,OUTSIDE) source static any any destination static NAT0_EZVPN1 NAT0_EZVPN1 route-lookup Next setup the PHASE 1 encryption parameters. crypto ikev1 enable OUTSIDE crypto ikev1 policy 9 authentication pre-share encryption aes-256 hash sha group 2
lifetime 86400 Then setup your Phase 2 parameters and apply it to the interface. crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map OUTSIDE_CRYPTO_DYNAMAP 65535 set ikev1 transform-set ESP-AES-256-SHA crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_CRYPTO_DYNAMAP Setup a split tunnel access-list in order to define traffic that will be routed over from the client side. This access-list will be pushed out to the client upon establishment of the VPN tunnel. access-list EZVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.240.0.0 Next you will need to define a group policy for the client. All these settings will be pushed out to the client upon connectivity to the VPN. Make note of the NEM enable option on the last line, as this will enable the Network Extension mode option. Also, you will need the password-storage enable option to allow the client username to be stored on the device. Otherwise you will be prompted to enter the username and password each time you establish the tunnel. group-policy EZVPN1 internal group-policy EZVPN1 attributes dns-server value 10.3.128.7 10.1.0.92 vpn-tunnel-protocol ikev1 ikev2 password-storage enable split-tunnel-policy tunnelspecified split-tunnel-network-list value EZVPN_SPLIT_TUNNEL default-domain value domain.local secure-unit-authentication disable user-authentication disable nem enable Create a username that you will be using on the client to connect to the server. Like the software VPN, this is the user credentials supplied for additional authentication. username EZVPN_USER password /n7KO5aHcX87RASZ encrypted Apply the group policy settings in a tunnel-group. This is where you enter the preshared key for your phase 1 authentication. tunnel-group EZVPN1 type remote-access tunnel-group EZVPN1 general-attributes default-group-policy EZVPN1 tunnel-group EZVPN1 ipsec-attributes ikev1 pre-shared-key secret
Cisco IOS Router EzVPN configuration - First setup a DHCP server on the router to assign an IP to the laptop. You can ignore this part of the setting if you wish to assign your IPs statically. ip dhcp pool LAPTOP import all host 10.3.201.2 255.255.255.248 client-identifier 01f0.def1.836d.2d option 150 ip 10.1.0.192 domain-name domain.local default-router 10.3.201.1 dns-server 10.3.128.7 8.8.8.8 4.2.2.2 - Set the domain and the DNS server settings on your router. This may be useful if you are going to use DNS names to reach your VPN server. ip domain name domain.local ip name-server 8.8.8.8 ip name-server 4.2.2.2 -Configure the Phase 1 parameters on the client end. This is where you specify the pre-shared key along with the NEM option, and the username and password used in the extended authentication. crypto isakmp key secret hostname CISCOASA crypto isakmp keepalive 10 periodic crypto ipsec client ezvpn EZVPN connect auto group EZVPN1 key secret mode network-extension peer X.X.X.X username EZVPN_USER password secret xauth userid mode local -Define your inside and outside interfaces. Here I have used Fe4 as the outside interface and assigned the EZVPN profile to it. I used interface Vlan2 as my inside interface. interface FastEthernet4 ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto crypto ipsec client ezvpn EZVPN interface Vlan2 ip address 10.3.201.1 255.255.255.0
ip nat inside ip virtual-reassembly in crypto ipsec client ezvpn EZVPN inside -Lastly for use with split tunnel, I’ve added this statement in to ensure the users on the client side is able to reach the internet without going through the tunnel. You don’t need this line for the VPN to work. ip nat inside source list NAT_ACL interface FastEthernet4 overload ip access-list extended NAT_ACL permit ip 10.2.201.0 0.0.0.255 any More Related Cisco Network Tips: Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs Cisco ASA IPS Module Configuration Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel

Recomendados

VPN client to site tren GNS3
VPN client to site tren GNS3VPN client to site tren GNS3
VPN client to site tren GNS3Khỉ Lùn
 
Vpn Site-to-site trên Cisco
Vpn Site-to-site trên CiscoVpn Site-to-site trên Cisco
Vpn Site-to-site trên CiscoTài Bùi
 
Vpn : client to site và vpn site to site
Vpn : client to site và vpn site to siteVpn : client to site và vpn site to site
Vpn : client to site và vpn site to siteKhỉ Lùn
 
Anninhmang
AnninhmangAnninhmang
Anninhmangviethoa1
 
Easy vpn
Easy vpnEasy vpn
Easy vpnHồ Đắc Biên
 
Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 

Recomendados

VPN client to site tren GNS3
VPN client to site tren GNS3VPN client to site tren GNS3
VPN client to site tren GNS3Khỉ Lùn
 
Vpn Site-to-site trên Cisco
Vpn Site-to-site trên CiscoVpn Site-to-site trên Cisco
Vpn Site-to-site trên CiscoTài Bùi
 
Vpn : client to site và vpn site to site
Vpn : client to site và vpn site to siteVpn : client to site và vpn site to site
Vpn : client to site và vpn site to siteKhỉ Lùn
 
Anninhmang
AnninhmangAnninhmang
Anninhmangviethoa1
 
Easy vpn
Easy vpnEasy vpn
Easy vpnHồ Đắc Biên
 
Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 
Cisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsCisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsIT Tech
 
16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...IT Tech
 
Various raid levels pros & cons
Various raid levels pros & consVarious raid levels pros & cons
Various raid levels pros & consIT Tech
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Mais conteúdo relacionado

Mais de IT Tech

Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 
Cisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsCisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsIT Tech
 
16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...IT Tech
 
Various raid levels pros & cons
Various raid levels pros & consVarious raid levels pros & cons
Various raid levels pros & consIT Tech
 

Mais de IT Tech (20)

Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 
Cisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsCisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngips
 
16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...
 
Various raid levels pros & cons
Various raid levels pros & consVarious raid levels pros & cons
Various raid levels pros & cons
 

Último

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Último (20)

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Cisco ez vpn easy vpn

  • 1. Cisco EzVPN – EASY VPN A Cisco EZVPN client is basically hardware VPN client that is always ON. It helps simplify deployment of branch locations where their public IP is handed out by a DHCP server and constantly changes. Today I’m setting up a Cisco EzVPN (Easy VPN) between a Cisco ASA5505 and a Cisco 800 Series IOS router in NEM – Network extension mode. The Cisco ASA will be acting as the VPN server and the Cisco router will be the client. EzVPN NEM –Network Extension Mode With NEM, you will be able to reach IPs on the client side of the tunnel from the server where was in CLIENT mode, all traffic is PAT from the client router, thus you will only be able to initiate traffic from the client side. Below is the network diagram I’m using to display my setup. Devices on either end of the tunnel will be able to reach each other bidirectionally. ie. the desktop should be able to ping the laptop and the laptop should also be able to ping the desktop. Cisco ASA EzVPN Server end configuration on ASA OS 8.3+ - First define the client subnet you want to reach using a network object. This is the IP subnet range on the client side. You can then use this object to define your encryption traffic as shown below in the static NAT statement. object network NAT0_EZVPN1 subnet 10.3.201.0 255.255.255.0 nat (INSIDE,OUTSIDE) source static any any destination static NAT0_EZVPN1 NAT0_EZVPN1 route-lookup Next setup the PHASE 1 encryption parameters. crypto ikev1 enable OUTSIDE crypto ikev1 policy 9 authentication pre-share encryption aes-256 hash sha group 2
  • 2. lifetime 86400 Then setup your Phase 2 parameters and apply it to the interface. crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map OUTSIDE_CRYPTO_DYNAMAP 65535 set ikev1 transform-set ESP-AES-256-SHA crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_CRYPTO_DYNAMAP Setup a split tunnel access-list in order to define traffic that will be routed over from the client side. This access-list will be pushed out to the client upon establishment of the VPN tunnel. access-list EZVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.240.0.0 Next you will need to define a group policy for the client. All these settings will be pushed out to the client upon connectivity to the VPN. Make note of the NEM enable option on the last line, as this will enable the Network Extension mode option. Also, you will need the password-storage enable option to allow the client username to be stored on the device. Otherwise you will be prompted to enter the username and password each time you establish the tunnel. group-policy EZVPN1 internal group-policy EZVPN1 attributes dns-server value 10.3.128.7 10.1.0.92 vpn-tunnel-protocol ikev1 ikev2 password-storage enable split-tunnel-policy tunnelspecified split-tunnel-network-list value EZVPN_SPLIT_TUNNEL default-domain value domain.local secure-unit-authentication disable user-authentication disable nem enable Create a username that you will be using on the client to connect to the server. Like the software VPN, this is the user credentials supplied for additional authentication. username EZVPN_USER password /n7KO5aHcX87RASZ encrypted Apply the group policy settings in a tunnel-group. This is where you enter the preshared key for your phase 1 authentication. tunnel-group EZVPN1 type remote-access tunnel-group EZVPN1 general-attributes default-group-policy EZVPN1 tunnel-group EZVPN1 ipsec-attributes ikev1 pre-shared-key secret
  • 3. Cisco IOS Router EzVPN configuration - First setup a DHCP server on the router to assign an IP to the laptop. You can ignore this part of the setting if you wish to assign your IPs statically. ip dhcp pool LAPTOP import all host 10.3.201.2 255.255.255.248 client-identifier 01f0.def1.836d.2d option 150 ip 10.1.0.192 domain-name domain.local default-router 10.3.201.1 dns-server 10.3.128.7 8.8.8.8 4.2.2.2 - Set the domain and the DNS server settings on your router. This may be useful if you are going to use DNS names to reach your VPN server. ip domain name domain.local ip name-server 8.8.8.8 ip name-server 4.2.2.2 -Configure the Phase 1 parameters on the client end. This is where you specify the pre-shared key along with the NEM option, and the username and password used in the extended authentication. crypto isakmp key secret hostname CISCOASA crypto isakmp keepalive 10 periodic crypto ipsec client ezvpn EZVPN connect auto group EZVPN1 key secret mode network-extension peer X.X.X.X username EZVPN_USER password secret xauth userid mode local -Define your inside and outside interfaces. Here I have used Fe4 as the outside interface and assigned the EZVPN profile to it. I used interface Vlan2 as my inside interface. interface FastEthernet4 ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto crypto ipsec client ezvpn EZVPN interface Vlan2 ip address 10.3.201.1 255.255.255.0
  • 4. ip nat inside ip virtual-reassembly in crypto ipsec client ezvpn EZVPN inside -Lastly for use with split tunnel, I’ve added this statement in to ensure the users on the client side is able to reach the internet without going through the tunnel. You don’t need this line for the VPN to work. ip nat inside source list NAT_ACL interface FastEthernet4 overload ip access-list extended NAT_ACL permit ip 10.2.201.0 0.0.0.255 any More Related Cisco Network Tips: Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs Cisco ASA IPS Module Configuration Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel