Home > Articles > Cisco

Configuring the Cisco ASA 5505 Easy VPN (EZVPN)

📄 Contents

  1. ASA Easy VPN (EZVPN) Concepts
  2. ASA Easy VPN (EZVPN) Configuration
  • Print
  • + Share This
  • 💬 Discuss

For those looking to secure their remote network locations, one of the most popular (and cheap) options to use is a Virtual Private Network (VPN). One of the problems is the complexity of the configuration that is required for both the central location (headend) and the remote offices. One of Cisco's answers to this problem is the creation of the Easy VPN (EZVPN) hardware client that is available on the Adaptive Security Appliance (ASA) model 5505.

Sean Wilkins takes you through the steps that are required to configure an ASA 5505 as an Easy VPN Server and as an Easy VPN client; specifically using the Network Extension Mode (NEM).

For those looking to secure their remote network locations, one of the most popular (and cheap) options to use is a Virtual Private Network (VPN). When configured correctly, VPNs are highly secure and provide the remote offices mostly seamless access to a central internal network.

One of the problems that can be found is the complexity of the configuration that is required for both the central location (headend) and the remote offices. One of Cisco's answers to this problem is the creation of the Easy VPN (EZVPN) hardware client that is available on the Adaptive Security Appliance (ASA) model 5505.

This feature enables a remote office to obtain an ASA 5505 and implement a VPN solution that connects them to a central location with five commands[md]or one screen if you use the Cisco's Adaptive Security Device Manager (ASDM) GUI management tool.

This article will take you through the steps that are required to configure an ASA 5505 as an Easy VPN Server and as an Easy VPN client; specifically using the Network Extension Mode (NEM). The configuration steps that are shown in this article assume that ASA policy has been configured to allow the traffic in the first place, if this has not yet been done do it first before beginning the steps in this article.

ASA Easy VPN (EZVPN) Concepts

There are a couple of concepts about the EZ VPN feature that need to be reviewed before getting into the configuration steps. This section will be brief and touch on these concepts.

It is important to note that the Easy VPN feature is not limited to using an ASA 5505 as the server-side device; it can be configured to work with other Cisco ASA models, VPN concentrators, and Cisco IOS devices.

The client side (hardware), on the other hand, is limited to the ASA 5505. The basic process works by having the server configuration define a policy that will be downloaded to the client and used to set up the correct parameters when establishing a tunnel between the server and the client. The client can be configured with multiple servers (up to 10) and will attempt to establish a connection going down the list of configured servers in eight-second intervals.

The Easy VPN client has two different modes that are available: client mode and network extension mode (NEM). The main difference is that when using client mode, the devices that exist behind the client (on its inside interface) are not directly accessible by the devices on the central internal network. This is because Port Address Translation (PAT) is used on the connection.

When using the Network extension mode, the devices that sit behind the client act as if they were directly connected to the central network and can be directly accessed. For this article, the steps that will be shown focus on configuring the Easy VPN server and client in NEM mode.

By default, Easy VPN uses UDP to encapsulate IPsec traffic; in some environments, this can be a problem depending on the specific network elements between the client and the server. In these situations, it may be required to enable the use of IPsec over TCP; this is available as an option with the Easy VPN feature.

A common problem that can exist with some implementation is that once a tunnel is established with the central server, all traffic coming from the remote location is sent to (and possibly through) the central location. Because a common implementation is to use the Internet as a central network connectivity solution, this can be very inefficient. In this situation, even common Internet browsing would need to travel from the remote location to the central location and then back out to reach the Internet destination.

In this situation, a common solution is to use "split-tunneling." What this solution provides is the ability to specify the destinations that are reachable (and require higher security) at the central location (e.g., centrally located servers). All other traffic will not be tunneled and will be sent out of the Internet connection as normal.

  • + Share This
  • 🔖 Save To Your Account

Discussions

comments powered by Disqus