Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Cisco ez vpn easy vpn
1. Cisco EzVPN – EASY VPN
A Cisco EZVPN client is basically hardware VPN client that is always ON. It helps
simplify deployment of branch locations where their public IP is handed out by a
DHCP server and constantly changes.
Today I’m setting up a Cisco EzVPN (Easy VPN) between a Cisco ASA5505 and a Cisco
800 Series IOS router in NEM – Network extension mode. The Cisco ASA will be
acting as the VPN server and the Cisco router will be the client.
EzVPN NEM –Network Extension Mode
With NEM, you will be able to reach IPs on the client side of the tunnel from the
server where was in CLIENT mode, all traffic is PAT from the client router, thus you
will only be able to initiate traffic from the client side.
Below is the network diagram I’m using to display my setup. Devices on either end of
the tunnel will be able to reach each other bidirectionally. ie. the desktop should be
able to ping the laptop and the laptop should also be able to ping the desktop.
Cisco ASA EzVPN Server end configuration on ASA OS 8.3+
- First define the client subnet you want to reach using a network object. This is the
IP subnet range on the client side. You can then use this object to define your
encryption traffic as shown below in the static NAT statement.
object network NAT0_EZVPN1
subnet 10.3.201.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static any any destination static NAT0_EZVPN1
NAT0_EZVPN1 route-lookup
Next setup the PHASE 1 encryption parameters.
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 9
authentication pre-share
encryption aes-256
hash sha
group 2
2. lifetime 86400
Then setup your Phase 2 parameters and apply it to the interface.
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map OUTSIDE_CRYPTO_DYNAMAP 65535 set ikev1 transform-set
ESP-AES-256-SHA
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic
OUTSIDE_CRYPTO_DYNAMAP
Setup a split tunnel access-list in order to define traffic that will be routed over from
the client side. This access-list will be pushed out to the client upon establishment of
the VPN tunnel.
access-list EZVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.240.0.0
Next you will need to define a group policy for the client. All these settings will be
pushed out to the client upon connectivity to the VPN. Make note of the NEM enable
option on the last line, as this will enable the Network Extension mode option. Also,
you will need the password-storage enable option to allow the client username to be
stored on the device. Otherwise you will be prompted to enter the username and
password each time you establish the tunnel.
group-policy EZVPN1 internal
group-policy EZVPN1 attributes
dns-server value 10.3.128.7 10.1.0.92
vpn-tunnel-protocol ikev1 ikev2
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN_SPLIT_TUNNEL
default-domain value domain.local
secure-unit-authentication disable
user-authentication disable
nem enable
Create a username that you will be using on the client to connect to the server. Like
the software VPN, this is the user credentials supplied for additional authentication.
username EZVPN_USER password /n7KO5aHcX87RASZ encrypted
Apply the group policy settings in a tunnel-group. This is where you enter the
preshared key for your phase 1 authentication.
tunnel-group EZVPN1 type remote-access
tunnel-group EZVPN1 general-attributes
default-group-policy EZVPN1
tunnel-group EZVPN1 ipsec-attributes
ikev1 pre-shared-key secret
3. Cisco IOS Router EzVPN configuration
- First setup a DHCP server on the router to assign an IP to the laptop. You can ignore
this part of the setting if you wish to assign your IPs statically.
ip dhcp pool LAPTOP
import all
host 10.3.201.2 255.255.255.248
client-identifier 01f0.def1.836d.2d
option 150 ip 10.1.0.192
domain-name domain.local
default-router 10.3.201.1
dns-server 10.3.128.7 8.8.8.8 4.2.2.2
- Set the domain and the DNS server settings on your router. This may be useful if
you are going to use DNS names to reach your VPN server.
ip domain name domain.local
ip name-server 8.8.8.8
ip name-server 4.2.2.2
-Configure the Phase 1 parameters on the client end. This is where you specify the
pre-shared key along with the NEM option, and the username and password used in
the extended authentication.
crypto isakmp key secret hostname CISCOASA
crypto isakmp keepalive 10 periodic
crypto ipsec client ezvpn EZVPN
connect auto
group EZVPN1 key secret
mode network-extension
peer X.X.X.X
username EZVPN_USER password secret
xauth userid mode local
-Define your inside and outside interfaces. Here I have used Fe4 as the outside
interface and assigned the EZVPN profile to it. I used interface Vlan2 as my inside
interface.
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN
interface Vlan2
ip address 10.3.201.1 255.255.255.0
4. ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn EZVPN inside
-Lastly for use with split tunnel, I’ve added this statement in to ensure the users on
the client side is able to reach the internet without going through the tunnel. You
don’t need this line for the VPN to work.
ip nat inside source list NAT_ACL interface FastEthernet4 overload
ip access-list extended NAT_ACL permit ip 10.2.201.0 0.0.0.255 any
More Related Cisco Network Tips:
Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs
Cisco ASA IPS Module Configuration
Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel