Cisco Easy VPN – ASA to IOS – Part 1 (CCIE Notes)

Posted on by Shoaib Merchant

Easy VPN with Hardware client, NEM enabled, auto connect:-

Easy VPN SERVER (Cisco ASA 5520):-

  • NAT is required between the encryption domains if NAT/PAT is present on the outside interface.
  • ACL for split-tunnel (if required)
  • ISAKMP policy and IPsec transform-set
  • Dynamic-map and crypto-map
  • Group-policy attributes (nem enabled)
  • Tunnel-group (xauth is the default authentication in ASA, disable it if the client connects automatically)
nat (inside,outside) source static 4.4.4.4 4.4.4.4 destination static 11.11.11.11 11.11.11.11 no-proxy-arp route-lookup
!
access-list splitacl1 standard permit host 4.4.4.4 
!
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set esp-3des esp-3des esp-sha-hmac 
!
crypto dynamic-map dyn-map 10 set ikev1 transform-set esp-3des
crypto dynamic-map dyn-map 10 set reverse-route
crypto map outmap 100 ipsec-isakmp dynamic dyn-map
crypto map outmap interface outside
!
group-policy r1policy internal
group-policy r1policy attributes
 group-lock value R1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitacl1
 nem enable
!
tunnel-group R1 type remote-access
tunnel-group R1 general-attributes
 default-group-policy r1policy
tunnel-group R1 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev1 user-authentication none

Easy VPN Hardware CLIENT (Cisco 1760 router):-

  • crypto ipsec client ezvpn HQVPN – configure the client setting under this command
  • connect auto – always on connection. No authentication required by the HW client
  • group R1 key ciscor1 – Tunnel-group and pre-shared key configured on the EZ VPN server
  • local-address – the IP address that is advertised to the server. The intermediary routers should have a route to this IP address. Example; if the local-address is a loopback IP address on the hardware client the intermediary routers should have a route for the loopback IP.
  • mode – network-extension (Extended LAN, similar to a Site-to-Site VPN)
  • peer – IP of the EZ VPN server

crypto ipsec client ezvpn HQ
 connect auto
 group R1 key *******
 local-address Loopback1
 mode network-extension
 peer 10.1.111.1
 xauth userid mode interactive
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 crypto ipsec client ezvpn HQ inside
!
interface Loopback1
 ip address 111.111.111.111 255.255.255.255
 crypto ipsec client ezvpn HQ inside
!
interface FastEthernet0/0
 ip address 10.1.101.1 255.255.255.0
 speed auto
 crypto ipsec client ezvpn HQ outside

Verification:-

ASA1# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 111.111.111.111
Type : user Role : responder 
Rekey : no State : AM_ACTIVE


R1# show crypto ipsec client ezvpn 
Easy VPN Remote Phase: 4
Tunnel name : HQ
Inside interface list: Loopback0
Outside interface: FastEthernet0/0 
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Save Password: Disallowed
Split Tunnel List: 1
 Address : 4.4.4.4
 Mask : 255.255.255.255
 Protocol : 0x0
 Source Port: 0
 Dest Port : 0
Current EzVPN Peer: 10.1.111.1
R1#show crypto isakmp sa
dst src state conn-id slot status
10.1.111.1 111.111.111.111 QM_IDLE 5 0 ACTIVE

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s