Configuring Cisco EzVPN on Cisco ASA and IOS Router


Cisco EzVPN – EASY VPN

A Cisco EZVPN client is basically hardware VPN client that is always ON. It helps simplify deployment of branch locations where their public IP is handed out by a DHCP server and constantly changes.

Today I’m setting up a Cisco EzVPN (Easy VPN) between a Cisco ASA5505 and a Cisco 800 Series IOS router in NEM – Network extension mode. The Cisco ASA will be acting as the VPN server and the Cisco router will be the client.

EzVPN NEM – Network Extension Mode

With NEM, you will be able to reach IPs on the client side of the tunnel from the server where was in CLIENT mode, all traffic is PAT from the client router, thus you will only be able to initiate traffic from the client side.

For more information regarding NEM visit here.

Below is the network diagram I’m using to display my setup. Devices on either end of the tunnel will be able to reach each other bidirectionally. ie. the desktop should be able to ping the laptop and the laptop should also be able to ping the desktop.

Cisco EZVPN Network Diagram

Cisco ASA EzVPN Server end configuration on ASA OS 8.3+

  1. First define the client subnet you want to reach using a network object. This is the IP subnet range on the client side. You can then use this object to define your encryption traffic as shown below in the static NAT statement.
    object network NAT0_EZVPN1
    subnet 10.3.201.0 255.255.255.0
    
    nat (INSIDE,OUTSIDE) source static any any destination static NAT0_EZVPN1 NAT0_EZVPN1 route-lookup
  2. Next setup the PHASE 1 encryption parameters.
    crypto ikev1 enable OUTSIDE
    
    crypto ikev1 policy 9
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
  3. Then setup your Phase 2 parameters and apply it to the interface.
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map OUTSIDE_CRYPTO_DYNAMAP 65535 set ikev1 transform-set ESP-AES-256-SHA
    crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_CRYPTO_DYNAMAP
  4. Setup a split tunnel access-list in order to define traffic that will be routed over from the client side. This access-list will be pushed out to the client upon establishment of the VPN tunnel.

    access-list EZVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.240.0.0
  5. Next you will need to define a group policy for the client. All these settings will be pushed out to the client upon connectivity to the VPN. Make note of the NEM enable option on the last line, as this will enable the Network Extension mode option. Also, you will need the password-storage enable option to allow the client username to be stored on the device. Otherwise you will be prompted to enter the username and password each time you establish the tunnel.
    group-policy EZVPN1 internal
    group-policy EZVPN1 attributes
    dns-server value 10.3.128.7 10.1.0.92
    vpn-tunnel-protocol ikev1 ikev2
    password-storage enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value EZVPN_SPLIT_TUNNEL
    default-domain value domain.local
    secure-unit-authentication disable
    user-authentication disable
    nem enable
  6. Create a username that you will be using on the client to connect to the server. Like the software VPN, this is the user credentials supplied for additional authentication.
    username EZVPN_USER password /n7KO5aHcX87RASZ encrypted
  7. Apply the group policy settings in a tunnel-group. This is where you enter the preshared key for your phase 1 authentication.
    tunnel-group EZVPN1 type remote-access
    tunnel-group EZVPN1 general-attributes
    default-group-policy EZVPN1
    tunnel-group EZVPN1 ipsec-attributes
    ikev1 pre-shared-key secret
Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV
  • Mike

    Thank you for posting this. I’m running into an issue to where I would like to NAT the tunnel traffic on the server side after the decryption takes place. My client side has private addressing for both the WAN and LAN interfaces. My tunnel comes up fine and I can see the decrypts on the IPsec SA from the server. I also see the icmp echo requests coming in when I do a capture on the Server but no replies. Seeing that I can’t route private addressing out to the internet, I know that I need to NAT but it doesn’t seem to be catching the traffic in the xlate table. I’m guessing its an order of operations issue? Everything I’m coming across seems to say that I should be able to NAT the traffic after the decryption. I just have a simple global NAT setup to the outside interface with a NAT all statement. Thanks again.

    -Manwhohits Headondesk

  • Louis

    Excellent guide!!!! Woohoo! First time ever that something with Cisco just works the first time without endless troubleshooting!!