Cisco EzVPN – EASY VPN
A Cisco EZVPN client is basically hardware VPN client that is always ON. It helps simplify deployment of branch locations where their public IP is handed out by a DHCP server and constantly changes.
Today I’m setting up a Cisco EzVPN (Easy VPN) between a Cisco ASA5505 and a Cisco 800 Series IOS router in NEM – Network extension mode. The Cisco ASA will be acting as the VPN server and the Cisco router will be the client.
EzVPN NEM – Network Extension Mode
With NEM, you will be able to reach IPs on the client side of the tunnel from the server where was in CLIENT mode, all traffic is PAT from the client router, thus you will only be able to initiate traffic from the client side.
For more information regarding NEM visit here.
Below is the network diagram I’m using to display my setup. Devices on either end of the tunnel will be able to reach each other bidirectionally. ie. the desktop should be able to ping the laptop and the laptop should also be able to ping the desktop.
Cisco ASA EzVPN Server end configuration on ASA OS 8.3+
- First define the client subnet you want to reach using a network object. This is the IP subnet range on the client side. You can then use this object to define your encryption traffic as shown below in the static NAT statement.
object network NAT0_EZVPN1 subnet 10.3.201.0 255.255.255.0 nat (INSIDE,OUTSIDE) source static any any destination static NAT0_EZVPN1 NAT0_EZVPN1 route-lookup
- Next setup the PHASE 1 encryption parameters.
crypto ikev1 enable OUTSIDE crypto ikev1 policy 9 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
- Then setup your Phase 2 parameters and apply it to the interface.
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map OUTSIDE_CRYPTO_DYNAMAP 65535 set ikev1 transform-set ESP-AES-256-SHA crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_CRYPTO_DYNAMAP
Setup a split tunnel access-list in order to define traffic that will be routed over from the client side. This access-list will be pushed out to the client upon establishment of the VPN tunnel.
access-list EZVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.240.0.0
- Next you will need to define a group policy for the client. All these settings will be pushed out to the client upon connectivity to the VPN. Make note of the NEM enable option on the last line, as this will enable the Network Extension mode option. Also, you will need the password-storage enable option to allow the client username to be stored on the device. Otherwise you will be prompted to enter the username and password each time you establish the tunnel.
group-policy EZVPN1 internal group-policy EZVPN1 attributes dns-server value 10.3.128.7 10.1.0.92 vpn-tunnel-protocol ikev1 ikev2 password-storage enable split-tunnel-policy tunnelspecified split-tunnel-network-list value EZVPN_SPLIT_TUNNEL default-domain value domain.local secure-unit-authentication disable user-authentication disable nem enable
- Create a username that you will be using on the client to connect to the server. Like the software VPN, this is the user credentials supplied for additional authentication.
username EZVPN_USER password /n7KO5aHcX87RASZ encrypted
- Apply the group policy settings in a tunnel-group. This is where you enter the preshared key for your phase 1 authentication.
tunnel-group EZVPN1 type remote-access tunnel-group EZVPN1 general-attributes default-group-policy EZVPN1 tunnel-group EZVPN1 ipsec-attributes ikev1 pre-shared-key secret