Configuring Cisco EzVPN on Cisco ASA and IOS Router

TOPICS:8.3 8.4 asa Cisco cryptomap easy vpn ezvpn firewall IOS ipsec vpn nat router site to site vpn

Posted By: Alfred Tong October 18, 2012

Cisco EzVPN – EASY VPN

A Cisco EZVPN client is basically hardware VPN client that is always ON. It helps simplify deployment of branch locations where their public IP is handed out by a DHCP server and constantly changes.

Today I’m setting up a Cisco EzVPN (Easy VPN) between a Cisco ASA5505 and a Cisco 800 Series IOS router in NEM – Network extension mode. The Cisco ASA will be acting as the VPN server and the Cisco router will be the client.

EzVPN NEM – Network Extension Mode

With NEM, you will be able to reach IPs on the client side of the tunnel from the server where was in CLIENT mode, all traffic is PAT from the client router, thus you will only be able to initiate traffic from the client side.

For more information regarding NEM visit here.

Below is the network diagram I’m using to display my setup. Devices on either end of the tunnel will be able to reach each other bidirectionally. ie. the desktop should be able to ping the laptop and the laptop should also be able to ping the desktop.

Cisco ASA EzVPN Server end configuration on ASA OS 8.3+

First define the client subnet you want to reach using a network object. This is the IP subnet range on the client side. You can then use this object to define your encryption traffic as shown below in the static NAT statement.
```
object network NAT0_EZVPN1
subnet 10.3.201.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static any any destination static NAT0_EZVPN1 NAT0_EZVPN1 route-lookup
```

Next setup the PHASE 1 encryption parameters.

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 9
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

Then setup your Phase 2 parameters and apply it to the interface.

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map OUTSIDE_CRYPTO_DYNAMAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_CRYPTO_DYNAMAP

Setup a split tunnel access-list in order to define traffic that will be routed over from the client side. This access-list will be pushed out to the client upon establishment of the VPN tunnel.
```
access-list EZVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.240.0.0
```
Next you will need to define a group policy for the client. All these settings will be pushed out to the client upon connectivity to the VPN. Make note of the NEM enable option on the last line, as this will enable the Network Extension mode option. Also, you will need the password-storage enable option to allow the client username to be stored on the device. Otherwise you will be prompted to enter the username and password each time you establish the tunnel.
```
group-policy EZVPN1 internal
group-policy EZVPN1 attributes
dns-server value 10.3.128.7 10.1.0.92
vpn-tunnel-protocol ikev1 ikev2
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN_SPLIT_TUNNEL
default-domain value domain.local
secure-unit-authentication disable
user-authentication disable
nem enable
```
Create a username that you will be using on the client to connect to the server. Like the software VPN, this is the user credentials supplied for additional authentication.
```
username EZVPN_USER password /n7KO5aHcX87RASZ encrypted
```

Apply the group policy settings in a tunnel-group. This is where you enter the preshared key for your phase 1 authentication.

tunnel-group EZVPN1 type remote-access
tunnel-group EZVPN1 general-attributes
default-group-policy EZVPN1
tunnel-group EZVPN1 ipsec-attributes
ikev1 pre-shared-key secret

1 2