Cisco Easy VPN – ASA to IOS – Part 2 (CCIE Notes)

Easy VPN with Hardware client, NEM disabled, Client mode, Manual connect with XAuth:-

Easy VPN SERVER (Cisco ASA 5520):-

  • Address pool
  • NAT (If required)
  • ACL for split-tunnel (If required)
  • Group-policy > nem disable (EZ VPN Client will be configured for Client mode and not Network-Extension mode)
  • Tunnel-group > ikev1 user-authentication xauth (default)
ip local pool r2pool mask
nat (inside,outside) source static destination static no-proxy-arp route-lookup
access-list splitacl2 standard permit host 
group-policy r2policy internal
group-policy r2policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitacl2
 nem disable
 address-pools value r2pool
tunnel-group R2 type remote-access
tunnel-group R2 general-attributes
 default-group-policy r2policy
tunnel-group R2 ipsec-attributes
 ikev1 pre-shared-key *****


  • XAuth is the default user-authentication under tunnel-group.
  • When NEM is disabled, it means the client will be configured for Client mode. So address pool needs to be created and applied under the group-policy.

Easy VPN Hardware CLIENT (Cisco 1760 router):-

  • crypto ipsec client ezvpn HQVPN – configure the client setting under this command
  • connect manual – always on connection. No authentication required by the HW client
  • group R2 key ciscor2 – Tunnel-group and pre-shared key configured on the EZ VPN server
  • local-address – the IP address that is advertised to the server. The intermediary routers should have a route to this IP address. Example; if the local-address is a loopback IP address on the hardware client, the intermediary router should have a route for the loopback IP.
  • mode – Client mode (The inside addresses are PAT’ed with the assigned IP address form the address pool)
  • peer – IP of the EZ VPN server
crypto ipsec client ezvpn HQ
 connect manual
 group R2 key ciscor2
 local-address FastEthernet0/0
 mode client
 xauth userid mode interactive
interface Loopback0
 ip address
 crypto ipsec client ezvpn HQ inside
interface FastEthernet0/0
 ip address
 speed auto
 crypto ipsec client ezvpn HQ


  • When the client is authenticated, a new Loopback interface is dynamically created.
  • When in client mode, the hardware client receives an address from the address pool configured on the EZ VPN server and assigns it to the dynamically created Loopback interface. All traffic from the inside interface of the EZVPN client is then PATed behind this assigned IP address.


R2#show cry ipsec client ezvpn 
Easy VPN Remote Phase: 4

Tunnel name : HQ
Inside interface list: Loopback0
Outside interface: FastEthernet0/0 
Current State: IPSEC_ACTIVE
Last Event: CONNECT
Save Password: Disallowed
Split Tunnel List: 1
 Address :
 Mask :
 Protocol : 0x0
 Source Port: 0
 Dest Port : 0
Current EzVPN Peer:

R2#sh ip int br | i Loop
Loopback0 YES manual up up 
Loopback1 YES manual up up

R2#sho ip nat translations 
Pro Inside global Inside local Outside local Outside global

ASA Logs: Note the source IP address is that is assigned from the address pool.

%ASA-6-302013: Built inbound TCP connection 51 for outside: (\ezadmin) to inside: ( (ezadmin)

Bookmark to follow my CCIE Security v4 journey ->


One thought on “Cisco Easy VPN – ASA to IOS – Part 2 (CCIE Notes)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s