Easy VPN with Hardware client, NEM disabled, Client mode, Manual connect with XAuth:-
Easy VPN SERVER (Cisco ASA 5520):-
- Address pool
- NAT (If required)
- ACL for split-tunnel (If required)
- Group-policy > nem disable (EZ VPN Client will be configured for Client mode and not Network-Extension mode)
- Tunnel-group > ikev1 user-authentication xauth (default)
ip local pool r2pool 192.168.1.1-192.168.1.254 mask 255.255.255.0 ! nat (inside,outside) source static 18.104.22.168 22.214.171.124 destination static 126.96.36.199 188.8.131.52 no-proxy-arp route-lookup access-list splitacl2 standard permit host 184.108.40.206 ! group-policy r2policy internal group-policy r2policy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value splitacl2 nem disable address-pools value r2pool ! tunnel-group R2 type remote-access tunnel-group R2 general-attributes default-group-policy r2policy tunnel-group R2 ipsec-attributes ikev1 pre-shared-key *****
- XAuth is the default user-authentication under tunnel-group.
- When NEM is disabled, it means the client will be configured for Client mode. So address pool needs to be created and applied under the group-policy.
Easy VPN Hardware CLIENT (Cisco 1760 router):-
- crypto ipsec client ezvpn HQVPN – configure the client setting under this command
- connect manual – always on connection. No authentication required by the HW client
- group R2 key ciscor2 – Tunnel-group and pre-shared key configured on the EZ VPN server
- local-address – the IP address that is advertised to the server. The intermediary routers should have a route to this IP address. Example; if the local-address is a loopback IP address on the hardware client, the intermediary router should have a route for the loopback IP.
- mode – Client mode (The inside addresses are PAT’ed with the assigned IP address form the address pool)
- peer – IP of the EZ VPN server
crypto ipsec client ezvpn HQ connect manual group R2 key ciscor2 local-address FastEthernet0/0 mode client peer 10.1.111.1 xauth userid mode interactive ! interface Loopback0 ip address 220.127.116.11 255.255.255.255 crypto ipsec client ezvpn HQ inside ! interface FastEthernet0/0 ip address 10.1.102.2 255.255.255.0 speed auto crypto ipsec client ezvpn HQ
- When the client is authenticated, a new Loopback interface is dynamically created.
- When in client mode, the hardware client receives an address from the address pool configured on the EZ VPN server and assigns it to the dynamically created Loopback interface. All traffic from the inside interface of the EZVPN client is then PATed behind this assigned IP address.
R2#show cry ipsec client ezvpn Easy VPN Remote Phase: 4 Tunnel name : HQ Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: CONNECT Address: 192.168.1.1 Mask: 255.255.255.255 Save Password: Disallowed Split Tunnel List: 1 Address : 18.104.22.168 Mask : 255.255.255.255 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 10.1.111.1 R2#sh ip int br | i Loop Loopback0 22.214.171.124 YES manual up up Loopback1 192.168.1.1 YES manual up up R2#sho ip nat translations Pro Inside global Inside local Outside local Outside global tcp 192.168.1.1:51431 126.96.36.199:51431 188.8.131.52:23 184.108.40.206:23 ASA Logs: Note the source IP address is 192.168.1.1 that is assigned from the address pool. %ASA-6-302013: Built inbound TCP connection 51 for outside:192.168.1.1/51431 (192.168.1.1/51431)(LOCAL\ezadmin) to inside:220.127.116.11/23 (18.104.22.168/23) (ezadmin)
Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/