Easy VPN on an 1811 located in DMZ - Part 2
So after struggling with the routing on this particular problem I decided to ask someone for help, that person was Josh over at Blindhog. He worked on it for about 10 minutes and was able to determine what I was doing wrong. So below is the relevant information from the final configuration of the Easy VPN client (1811).
crypto ipsec client ezvpn ASA
connect auto
group ezvpntunnel key cisco
mode network-extension
peer 64.22.228.130
username cisco password cisco
xauth userid mode local
interface Loopback0
ip address 10.2.2.100 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map EzVPN-Routing
crypto ipsec client ezvpn ASA inside
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 172.17.0.0 255.255.255.0 Loopback0
ip access-list extended EzVPN-Routing
permit ip any 172.17.0.0 0.0.0.255
route-map EzVPN-Routing permit 10
match ip address EzVPN-Routing
set ip next-hop 10.1.1.1
The things that changed from the initial configuration I had are as follows.
- Took off the access-lists on the Loopback0 and FastEthernet0 interfaces
- Added ip nat inside and ip nat outside to their respective interfaces
- Added a route for the remote networking pointing towards the ‘outside’ interface (Loopback0)
- Changed the route-map access-list to allow anything to the remote network
- Set the set ip next-hop 10.1.1.1 (DMZ of the Pix) in the route-map
- Also, on the ASA we had to add a nonat statement for the Loopback0 interface
Again, I would like to thank Josh for his help. Without his assistance I would still be twiddling my thumbs on this one.
Related Blogs
- Related Blogs on Easy VPN
- Easy VPN Combined with VRF Lite
- Cisco - PIX 506E - 3DES/AES Firewall
Tags: Easy VPN, next-hop, route-map
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Leave a Reply