Filter
Top Products
35-84
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
Easy VPN Remote
Easy VPN Remote
Easy VPN Remote lets the ASA 5505 act as an Easy VPN client device. The ASA 5505 can then initiate
a VPN tunnel to an Easy VPN server, which can be a security appliance, a Cisco VPN 3000 Concentrator,
an IOS-based router, or a firewall acting as an Easy VPN server.
The Easy VPN client supports one of two modes of operation: Client Mode or Network Extension Mode
(NEM). The mode of operation determines whether the Easy VPN Client inside hosts are accessible from
the Enterprise network over the tunnel. Specifying a mode of operation is mandatory before making a
connection because Easy VPN Client does not have a default mode.
Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the Easy VPN
Client private network from those on the enterprise network. The Easy VPN Client performs Port
Address Translation (PAT) for all VPN traffic for its inside hosts. IP address management is neither
required for the Easy VPN Client inside interface or the inside hosts.
NEM makes the inside interface and all inside hosts routable across the enterprise network over the
tunnel. Hosts on the inside network obtain their IP addresses from an accessible subnet (statically or via
DHCP) pre-configured with static IP addresses. PAT does not apply to VPN traffic in NEM. This mode
does not require a VPN configuration for each client. The Cisco ASA 5505 configured for NEM mode
supports automatic tunnel initiation. The configuration must store the group name, user name, and
password. Automatic tunnel initiation is disabled if secure unit authentication is enabled.
The network and addresses on the private side of the Easy VPN Client are hidden, and cannot be accessed
directly.
Fields
• Enable Easy VPN Remote—Enables the Easy VPN Remote feature and makes available the rest of
the fields on this window for configuration.
• Mode—Selects either Client mode or Network extension mode.
–
Client mode—Uses Port Address Translation (PAT) mode to isolate the addresses of the inside
hosts, relative to the client, from the enterprise network.
–
Network extension mode—Makes those addresses accessible from the enterprise network.
Note If the Easy VPN Remote is using NEM and has connections to secondary servers,
establish an ASDM connection to each headend and check Enable Reverse Route
Injection on the Configuration > VPN > IPSec > IPSec Rules > Tunnel Policy (Crypto
Map) - Advanced dialog box to configure dynamic announcements of the remote
network using RRI.
–
Auto connect—The Easy VPN Remote establishes automatic IPSec data tunnels unless both of
the following are true: Network extension mode is configured locally, and split-tunneling is
configured on the group policy pushed to the Easy VPN Remote. If both are true, checking this
attribute automates the establishment of IPSec data tunnels. Otherwise, this attribute has no
effect.
• Group Settings—Specifies whether to use a pre-shared key or an X.509 certificate for user
authentication.
–
Pre-shared key—Enables the use of a pre-shared key for authentication and makes available the
subsequent Group Name, Group Password, and Confirm Password fields for specifying the
group policy name and password containing that key.
–
Group Name—Specifies the name of the group policy to use for authentication.