Cisco 871 easyvpn hardware client with nem behind NAT device

How do you configure a Cisco 871 as an eazyvpn hardware client with network extension when it's behind a nat device to a corporate network with an ASA as VPN termination point. 

Device line up

Clients -> 871 -> PIX515E (nat 1) -> 871 (nat 2) --------------> ASA

I got the error message: EZVPN: User connect request ignored,tunnel ASA endpoint not ready for request

 

Config ASA: (it is working for vpn client from same network as the hw client and terminating several l2l too, so crypto is enabled and functioning)

group-policy
FLUOR_Policy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec

 password-storage enable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp enable

 ipsec-udp-port 10000

!

 split-tunnel-policy tunnelspecified

!

 split-tunnel-network-list value
*

 default-domain none

 split-dns none

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem enable

 backup-servers keep-client-config

 client-firewall none

 client-access-rule none

username * password *

!

crypto ipsec transform-set FLUOR_SET esp-des esp-md5-hmac

crypto dynamic-map FLUOR_DYN-MAP 5 set transform-set FLUOR_SET
crypto
map outside_map0 64999 ipsec-isakmp dynamic FLUOR_DYN-MAP

!

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

!

tunnel-group FLUOR_RAGroup general-attributes

 default-group-policy FLUOR_Policy

tunnel-group FLUOR_RAGroup ipsec-attributes

 pre-shared-key * 






871 config:


boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.220.41.0 10.220.41.10

ip dhcp excluded-address 10.220.41.50 10.220.41.63

!

ip dhcp pool BLAH

   network 10.220.41.0 255.255.255.192

   domain-name blah.local

   dns-server 10.220.0.110 10.220.0.148 10.220.0.152

   netbios-name-server 10.220.227.1 10.220.227.5

   default-router 10.220.41.62

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

!

!

!

crypto ipsec client ezvpn xauth

 connect auto

 mode client

 username * password *

 xauth userid mode local

crypto ipsec client ezvpn ASA

 connect auto

 mode network-extension

 peer x.x.x.x

 xauth userid mode interactive

!

archive

 log config

  hidekeys

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 ip address 192.168.100.112 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 crypto ipsec client ezvpn ASA

!

interface Vlan1

 ip address 10.220.41.62 255.255.255.192

 ip access-group 100 out

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

 crypto ipsec client ezvpn ASA inside

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.100.254

!

!

no ip http server

no ip http secure-server

ip nat inside source route-map EzVPN1 interface FastEthernet1 overload

!

access-list 101 permit ip 10.220.41.0 0.0.0.191 any

!

!

!

route-map EzVPN1 permit 1

 match ip address 101

!

!

control-plane

!

!

line con 0

 no modem enable

line aux 0

line vty 0 4

 login

 

Comments

Sign In or Register to comment.