![]() Notes: Create the tunnel group and assign its attributesĪSA(config)# tunnel-group TG_EasyVPN type remote-accessĪSA(config)# tunnel-group TG_EasyVPN general-attributesĪSA(config-tunnel-general)# default-group-policy GP_EasyVPNĪSA(config-tunnel-general)# tunnel-group TG_EasyVPN ipsec-attributesĪSA(config-tunnel-ipsec)# pre-shared-key Notes: Create the iskamp policy to be used during phase 1ĪSA(config-isakmp-policy)# authentication pre-shareĪSA(config-isakmp-policy)# encryption 3desĪSA(config-isakmp-policy)# lifetime 86400 Notes: Create the crypto map and dynamic map then apply it to the outside interfaceĪSA(config)# crypto dynamic-map DM_EasyVPN 5 set transform-set TS_EasyVPNĪSA(config)# crypto map CM_EasyVPN 60 ipsec-isakmp dynamic DM_EasyVPNĪSA(config)# crypto map OutsideMap 60 ipsec-isakmp dynamic DM_EasyVPNĪSA(config)# crypto map OutsideMap interface outsideĪSA(config)# crypto isakmp enable outside Notes: Create the transform set to use during phase 2ĪSA(config)# crypto ipsec transform-set TS_EasyVPN esp-3des esp-sha-hmac Notes: Create a username to use during authenticationĪSA(config)# username ezvpn password ezvpn Here we specify network extension mode with the ‘nem’ enable commandĪSA(config)# group-policy GP_EasyVPN internalĪSA(config)# group-policy GP_EasyVPN attributesĪSA(config-group-policy)# password-storage enableĪSA(config-group-policy)# split-tunnel-policy tunnelspecifiedĪSA(config-group-policy)# split-tunnel-network-list value EasyVPN The group policy is where we define the mode. Notes: Create the group policy for the connection. Notes: Apply the no nat ACL to nat if you havent done so alreadyĪSA(config)# nat (inside) 0 access-list nonat Assuming we have two networks we want access to, a phone and data network Nothing new here.ĪSA(config)# access-list EasyVPN extended permit ip ĪSA(config)# access-list nonat extended permit ip Notes: Define the ACLs’ for no nat and for the crypto map. Text in blue are variable names I made up, feel free to change them Insert your relevant information between I’m assuming that you have a working production device in operation at both the client and the headend location prior to beginning configuration. In this scenario we are using a ASA5500 series firewall for the headend, and a 800 series router as the remote device. There are a few differences and we’ll point those out as we move through the configuration. Configuring the headend is almost identical to configuring a standard IPSec client VPN solution. You’ll need to ensure, of course, that the DHCP scope on the router has the 150 option set so that the phone can find the TFTP server but other than that, it should be very transparent to the user. All you have to do is configure a router and send it home with the user and their desk phone. Rather than terminating the VPN locally on a users laptop, why not terminate it on a piece of hardware that can support multiple devices? EasyVPN also supports split tunneling, which should be a consideration in any VPN solution. I like to think of EasyVPN as simply a hardware client VPN solution. However, let’s say in this instance they happen to have a pile of older Cisco 800 series router sitting around and don’t feel like upgrading their ASA license for phone proxy. In most scenarios like this I’d recommend Cisco phone-proxy and some sort of software client VPN solution. ![]() The client has a Cisco VOIP solution in house at their corporate office and they’d like to have all of their remote users have a desk phone and LAN access at their respective locations. Let’s say that you have a client who has remote users spread across the US. Let’s look at a ‘real-world’ example to solidify the point. In other words, EasyVPN certainly has its place in today’s networks. Remote node configuration is for the most part handled through a mode configuration type policy push from the headend In Client mode (also called NAT mode) all traffic is hidden behind a NAT. Network extension mode presents a full routable network to the tunnel for connectivity back to the headend. The configuration can act in Network extension or Client mode. The remote site does NOT need to have a statically assigned IP address on its external interface EasyVPN can be used to create IPSec VPN tunnels between a ‘headend’ and ‘remote’ location Here are the main points that I came out with. A couple of months ago when I was studying for my ISCW exam I came across a chapter for EasyVPN. Until recently I hadn’t fully understood what its uses were. The overlooking part most likely came from my lack of understanding. Cisco EasyVPN is a solution that I, for the most part, have totally overlooked when designing VPN solutions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |