Cisco Easy VPN offers
flexibility, scalability, and ease of use for site-to-site and remote-access
VPNs. It implements the Cisco Unity Client protocol, allowing administrators to
define most VPN parameters on the Easy VPN Server, simplifying the Easy VPN
The Cisco ASA with
FirePOWER models 5506-X, 5506W-X, 5506H-X, and 5508-X support Easy VPN Remote
as a hardware client that initiates the VPN tunnel to an Easy VPN Server. The
Easy VPN server can be another ASA (any model), or a Cisco IOS-based router. An
ASA cannot function as both an Easy VPN Remote and an Easy VPN Server
The Cisco ASA
5506-X, 5506W-X, 5506H-X and 5508-X models support L3 switching not L2
switching. Use an external switch when using Easy VPN Remote with multiple
hosts or devices on the inside network. A switch is not required if a single
host is on the inside network of the ASA.
The following sections
describe Easy VPN options and settings.
Easy VPN uses IPsec
IKEv1 tunnels. The Easy VPN Remote hardware client's configuration must be
compatible with the VPN configuration on the Easy VPN Server headend. If using
secondary servers, their configuration must be identical to the primary server.
The ASA Easy VPN
Remote configures the IP address of the primary Easy VPN Server and optionally,
up to 10 secondary (backup) servers.
server command in global configuration mode to configure these
If unable to set up the tunnel to the primary server, the client
tries the connection to the first secondary VPN server, and then sequentially
down the list of VPN servers at 8 second intervals. If the setup tunnel to the
first secondary server fails, and the primary server comes online during this
time, the client will proceed to set up the tunnel to the second secondary VPN
By default, the Easy
VPN hardware client and server encapsulate IPsec in User Datagram Protocol
(UDP) packets. Some environments, such as those with certain firewall rules, or
NAT and PAT devices, prohibit UDP. To use standard Encapsulating Security
Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) in such
environments, you must configure the client and the server to encapsulate IPsec
within TCP packets to enable secure tunneling.
ipsec-over-tcp command to configure this.
If your environment allows UDP, however, configuring IPsec over
TCP adds unnecessary overhead.
Easy VPN Tunnel
establishment, the Easy VPN Remote specifies the tunnel group, configured on
the Easy VPN Server, that will be used for the connection. The Easy VPN Server
pushes group policy or user attributes to the Easy VPN Remote hardware client
determining tunnel behavior. To change certain attributes, you must modify them
on the ASAs configured as primary or secondary Easy VPN Servers.
Easy VPN Remote client specifies the group policy using the
vpngroup command to configure its name and pre-shared key, or the
trustpoint command to identify a pre-configured trustpoint.
Easy VPN Mode
The mode determines
whether the hosts behind the Easy VPN Remote are accessible or not from the
enterprise network over the tunnel:
also called Port Address Translation (PAT) mode, isolates all devices on the
Easy VPN Remote private network from those on the enterprise network. The Easy
VPN Remote performs Port Address Translation (PAT) for all VPN traffic for its
inside hosts. The network and addresses on the private side of the Easy VPN
Remote are hidden, and cannot be accessed directly. IP address management is
not required for the Easy VPN Client inside interface or the inside hosts.
Extension Mode (NEM) makes the inside interface and all inside hosts route-able
across the enterprise network over the tunnel. Hosts on the inside network
obtain their IP addresses from an accessible subnet (statically or via DHCP)
pre-configured with static IP addresses. PAT does not apply to VPN traffic in
NEM. This mode does not require a VPN configuration or tunnel for each host on
the inside network, the Easy VPN Remote provides tunneling for all of the
The Easy VPN
Server defaults to Client mode.
To configure NEM mode use the
command in group policy configuration mode. Specifying one of the modes of
operation on the Easy VPN Remote is mandatory before establishing a tunnel
because it does not have a default mode.
On the Easy VPN Remote use the
mode command to configure PAT or NEM.
The Easy VPN
Remote ASA configured for NEM mode supports automatic tunnel initiation.
Automatic initiation requires the configuration and storage of credentials used
to set up the tunnel. Automatic tunnel initiation is disabled if secure unit
authentication is enabled.
An Easy VPN
Remote in Network Extension Mode with multiple interfaces configured builds a
tunnel for locally encrypted traffic only from the interface with the highest
Easy VPN User
The ASA Easy VPN
Remote can store the username and password for automatic login using the
security, the Easy VPN Server can require:
authentication (SUA)—ignores the configured username and password requiring a
user to manually authenticate. By default, SUA is disabled, enable SUA on the
Easy VPN Serverusing the
user authentication (IUA)—requires users behind the Easy VPN Remote to
authenticate before receiving access to the enterprise VPN network. By default,
IUA is disabled, enable IUA on the Easy VPN Serverusing the
IUA, specific devices, such as Cisco IP Phones or printers, behind the hardware
client will need to bypass individual user authentication.
configure this, specify IP phone bypass, using the
command, on the Easy VPN Server and MAC
address exemption, using the
command, on the Easy VPN Remote.
the Easy VPN Server can set or remove the idle timeout period after which the
Easy VPN Server terminates the client’s access using the
user-authentication-idle-timeout command on the
Easy VPN Server.
The Cisco Easy VPN
server intercepts HTTP traffic and redirects the user to a login page if the
user name and password is not configured, or SUA is disabled, or IUA is
enabled. HTTP redirection is automatic and does not require configuration on
the Easy VPN Server.
The ASA operating as an Easy VPN Remote hardware client supports
management access using SSH or HTTPS, with or without additional IPsec
By default, management tunnels use IPsec encryption within SSH or
HTTPS encryption. You can
clear the IPsec encryption layer allowing management access
outside of the VPN tunnel using the
vpnclient management clear command.
Clearing tunnel management merely removes the IPsec encryption level and does
not affect any other encryption, such as SSH or HTTPS, that exists on the
For additional security, the Easy VPN Remote can require the IPsec
encryption and limit administrative access to specific hosts or networks on the
corporate side using the
tunnel command in global configuration mode.
no vpnclient management to return to
default remote management operation.
Do not configure a management tunnel on a ASA Easy VPN Remote if a
NAT device is operating between it and the Internet. In that configuration,
clear remote management using the
vpnclient management clear command.
Regardless of your
configuration, DHCP requests (including renew messages) should not flow over
IPsec tunnels. Even with a vpnclient management tunnel, DHCP traffic is