Cisco Easy VPN – ASA to IOS – Part 1 (CCIE Notes)

Easy VPN with Hardware client, NEM enabled, auto connect:-

Easy VPN SERVER (Cisco ASA 5520):-

  • NAT is required between the encryption domains if NAT/PAT is present on the outside interface.
  • ACL for split-tunnel (if required)
  • ISAKMP policy and IPsec transform-set
  • Dynamic-map and crypto-map
  • Group-policy attributes (nem enabled)
  • Tunnel-group (xauth is the default authentication in ASA, disable it if the client connects automatically)
nat (inside,outside) source static destination static no-proxy-arp route-lookup
access-list splitacl1 standard permit host 
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ipsec ikev1 transform-set esp-3des esp-3des esp-sha-hmac 
crypto dynamic-map dyn-map 10 set ikev1 transform-set esp-3des
crypto dynamic-map dyn-map 10 set reverse-route
crypto map outmap 100 ipsec-isakmp dynamic dyn-map
crypto map outmap interface outside
group-policy r1policy internal
group-policy r1policy attributes
 group-lock value R1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitacl1
 nem enable
tunnel-group R1 type remote-access
tunnel-group R1 general-attributes
 default-group-policy r1policy
tunnel-group R1 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev1 user-authentication none

Easy VPN Hardware CLIENT (Cisco 1760 router):-

  • crypto ipsec client ezvpn HQVPN – configure the client setting under this command
  • connect auto – always on connection. No authentication required by the HW client
  • group R1 key ciscor1 – Tunnel-group and pre-shared key configured on the EZ VPN server
  • local-address – the IP address that is advertised to the server. The intermediary routers should have a route to this IP address. Example; if the local-address is a loopback IP address on the hardware client the intermediary routers should have a route for the loopback IP.
  • mode – network-extension (Extended LAN, similar to a Site-to-Site VPN)
  • peer – IP of the EZ VPN server

crypto ipsec client ezvpn HQ
 connect auto
 group R1 key *******
 local-address Loopback1
 mode network-extension
 xauth userid mode interactive
interface Loopback0
 ip address
 crypto ipsec client ezvpn HQ inside
interface Loopback1
 ip address
 crypto ipsec client ezvpn HQ inside
interface FastEthernet0/0
 ip address
 speed auto
 crypto ipsec client ezvpn HQ outside


ASA1# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer:
Type : user Role : responder 
Rekey : no State : AM_ACTIVE

R1# show crypto ipsec client ezvpn 
Easy VPN Remote Phase: 4
Tunnel name : HQ
Inside interface list: Loopback0
Outside interface: FastEthernet0/0 
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Save Password: Disallowed
Split Tunnel List: 1
 Address :
 Mask :
 Protocol : 0x0
 Source Port: 0
 Dest Port : 0
Current EzVPN Peer:
R1#show crypto isakmp sa
dst src state conn-id slot status QM_IDLE 5 0 ACTIVE

Bookmark to follow my CCIE Security v4 journey ->


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s