Cisco EZVPN with ASA and 2911 NME

Customer Requirements The customer has requested a mobile device which provides the following: 1. Lan to Lan VPN access to Corporate Networks from any Internet location (EZVPN) 2. Split Tunnels for remote VPN Traffic and Internet Traffic (ASA Policies) 3. IP Phone Support with local dial tone and 4 digit dial to Corporate (PoE and FXO) Solution Overview To provide a solution for this, we will use a Cisco 2911 with Network Module Ethernet (NME). The 2911 will support EZVPN and Voice termination for local dial tone. The EZVPN configuration will allow the 2911 to be connected to any DSL or Cable Modem and provide Lan to Lan Corporate Connectivity for Remote PCs and Cisco IP Phones. The Cisco NME runs code similar to the Cisco 3750 and will provide 16 ports of Lan Connectivity with PoE. The 2911 and NME are connected via an internal Gigabit interface. The 2911 and NME devices are configured and maintained independently of each other.

Configuration Detail
2911 NME CONFIGURATION ip routing ! ip dhcp pool data network 192.168.20.0 255.255.255.224 default-router 192.168.20.1 dns-server 172.16.1.55 ! ip dhcp pool voip network 192.168.20.32 255.255.255.224
Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 1 of 4

default-router 192.168.20.33 option 150 ip 172.16.200.10 172.16.200.11 ! vlan 100 name DATA ! vlan 101 name VOIP ! interface range FastEthernet1/0/1 - 16 switchport access vlan 100 switchport voice vlan 101 spanning-tree portfast ! interface GigabitEthernet1/0/2 description 2911 Uplink ip address 192.168.20.254 255.255.255.252 ! interface Vlan100 description DATA ip address 192.168.20.1 255.255.255.224 ! interface Vlan101 description VOIP ip address 192.168.20.33 255.255.255.224 ! ip route 0.0.0.0 0.0.0.0 192.168.20.253 name 2911

2911 CONFIGURATION crypto ipsec client ezvpn R1 << EZVPN Profile connect auto group SATELLITE key cisco123 << EZVPN group name and key mode network-extension << enable Lan to Lan Network Extension Mode (NEM) peer 216.1.1.1 << ASA Outside Interface acl 100 << Permit traffic matching ACL 100 to be encrypted username satellite password satellite xauth userid mode local ! interface GigabitEthernet0/0 ip address dhcp << Obtain DHCP address from ISP ip nat outside crypto ipsec client ezvpn R1 ! interface GigabitEthernet1/0 description NME Uplink
Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 2 of 4

ip address 192.168.20.253 255.255.255.252 ip nat inside crypto ipsec client ezvpn R1 inside ! ip nat inside source list 101 interface GigabitEthernet0/0 overload ! ip route 192.168.20.0 255.255.255.224 192.168.20.254 name NME_DATA ip route 192.168.20.32 255.255.255.224 192.168.20.254 name NME_VOIP ! access-list 100 permit ip 192.168.20.0 0.0.0.255 any << Permit traffic matching ACL 100 to be encrypted access-list 101 permit ip 192.168.20.0 0.0.0.31 any << permit data traffic into NAT pool

ASA 5510 EZVPN CONFIGURATION crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map DYNMAP 5 set transform-set ESP-3DES-MD5 crypto dynamic-map DYNMAP 5 set reverse-route << install routes learned from Satellite ! crypto map CMAP 65535 ipsec-isakmp dynamic DYNMAP crypto map CMAP interface outside crypto isakmp enable outside ! crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 ! tunnel-group SATELLITE type remote-access tunnel-group SATELLITE general-attributes default-group-policy SATELLITE tunnel-group SATELLITE ipsec-attributes << EZVPN group name pre-shared-key cisco123 <<EZVPN group key ! group-policy SATELLITE internal group-policy SATELLITE attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL_ACL << only encrypt packets which match ACL nem enable << enable Lan to Lan Network Extension Mode (NEM) ! ! The ACL below is read from the perspective of the ASA. Encrypt traffic from 172.16 to 192.168 access-list SPLIT_TUNNEL_ACL extended permit ip 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0 ! username satellite password satellite

Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 3 of 4

Verification
2911# sh crypto ipsec client ezvpn Easy VPN Remote Phase: 8 Tunnel name : R1 Inside interface list: GigabitEthernet1/0 Outside interface: GigabitEthernet0/0 Current State: IPSEC_ACTIVE Split Tunnel List: 1 << dynamically downloaded from ASA Address : 172.16.0.0 Mask : 255.255.0.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 216.1.1.1 Note: On the 2911, outbound traffic with a source address matching ACL 100 and destined to 172.16.0.0 / 16 will be encrypted and tunneled via IPSEC to the Corporate ASA. Outbound traffic with a source address matching ACL 101 to any destination will be translated using PAT. With this method, Corporate destined traffic will be tunneled over IPSEC and Internet destined traffic will be routed to the ISP. This achieves the split tunneling requirement.

ASA# show route outside 192.168.20.1 S 192.168.20.252 255.255.255.252 [1/0] via 216.195.64.249, outside S 172.16.100.0 255.255.255.0 [1/0] via 216.195.64.249, outside Note: 2911 Gig1/0 and client networks are dynamically added to the ASA routing table from the 2911 EZVPN client. This is done via the reverse-route cmd on the ASA and the ACL cmd on the 2911.

Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 4 of 4