Cisco Easy VPN – ASA to IOS – Part 2 (CCIE Notes)


Easy VPN with Hardware client, NEM disabled, Client mode, Manual connect with XAuth:-

Easy VPN SERVER (Cisco ASA 5520):-

  • Address pool
  • NAT (If required)
  • ACL for split-tunnel (If required)
  • Group-policy > nem disable (EZ VPN Client will be configured for Client mode and not Network-Extension mode)
  • Tunnel-group > ikev1 user-authentication xauth (default)
ip local pool r2pool 192.168.1.1-192.168.1.254 mask 255.255.255.0
!
nat (inside,outside) source static 4.4.4.4 4.4.4.4 destination static 2.2.2.2 2.2.2.2 no-proxy-arp route-lookup
access-list splitacl2 standard permit host 4.4.4.4 
!
group-policy r2policy internal
group-policy r2policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitacl2
 nem disable
 address-pools value r2pool
!
tunnel-group R2 type remote-access
tunnel-group R2 general-attributes
 default-group-policy r2policy
tunnel-group R2 ipsec-attributes
 ikev1 pre-shared-key *****

Notes:-

  • XAuth is the default user-authentication under tunnel-group.
  • When NEM is disabled, it means the client will be configured for Client mode. So address pool needs to be created and applied under the group-policy.

Easy VPN Hardware CLIENT (Cisco 1760 router):-

  • crypto ipsec client ezvpn HQVPN – configure the client setting under this command
  • connect manual – always on connection. No authentication required by the HW client
  • group R2 key ciscor2 – Tunnel-group and pre-shared key configured on the EZ VPN server
  • local-address – the IP address that is advertised to the server. The intermediary routers should have a route to this IP address. Example; if the local-address is a loopback IP address on the hardware client, the intermediary router should have a route for the loopback IP.
  • mode – Client mode (The inside addresses are PAT’ed with the assigned IP address form the address pool)
  • peer – IP of the EZ VPN server
crypto ipsec client ezvpn HQ
 connect manual
 group R2 key ciscor2
 local-address FastEthernet0/0
 mode client
 peer 10.1.111.1
 xauth userid mode interactive
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 crypto ipsec client ezvpn HQ inside
!
interface FastEthernet0/0
 ip address 10.1.102.2 255.255.255.0
 speed auto
 crypto ipsec client ezvpn HQ

Notes:-

  • When the client is authenticated, a new Loopback interface is dynamically created.
  • When in client mode, the hardware client receives an address from the address pool configured on the EZ VPN server and assigns it to the dynamically created Loopback interface. All traffic from the inside interface of the EZVPN client is then PATed behind this assigned IP address.

Verification:-

R2#show cry ipsec client ezvpn 
Easy VPN Remote Phase: 4

Tunnel name : HQ
Inside interface list: Loopback0
Outside interface: FastEthernet0/0 
Current State: IPSEC_ACTIVE
Last Event: CONNECT
Address: 192.168.1.1
Mask: 255.255.255.255
Save Password: Disallowed
Split Tunnel List: 1
 Address : 4.4.4.4
 Mask : 255.255.255.255
 Protocol : 0x0
 Source Port: 0
 Dest Port : 0
Current EzVPN Peer: 10.1.111.1

R2#sh ip int br | i Loop
Loopback0 2.2.2.2 YES manual up up 
Loopback1 192.168.1.1 YES manual up up

R2#sho ip nat translations 
Pro Inside global Inside local Outside local Outside global
tcp 192.168.1.1:51431 2.2.2.2:51431 4.4.4.4:23 4.4.4.4:23

ASA Logs: Note the source IP address is 192.168.1.1 that is assigned from the address pool.

%ASA-6-302013: Built inbound TCP connection 51 for outside:192.168.1.1/51431 (192.168.1.1/51431)(LOCAL\ezadmin) to inside:4.4.4.4/23 (4.4.4.4/23) (ezadmin)

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

 

Advertisements

One thought on “Cisco Easy VPN – ASA to IOS – Part 2 (CCIE Notes)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s