1-6
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Easy VPN Services on the ASA 5505
Specifying the Tunnel Group or Trustpoint
Caution Cisco does not support the use of the vpnclient management command if a NAT device is
present between the client and the Internet.
• Use of the vpnclient mode command to specify one of the following modes of operation:
–
client to use Port Address Translation (PAT) mode to isolate the addresses of the inside hosts,
relative to the client, from the enterprise network.
–
network-extension-mode to make those addresses accessible from the enterprise network.
Figure 1-1 shows the types of tunnels that the Easy VPN client initiates, based on the combination of the
commands you enter.
Figure 1-1 Easy VPN Hardware Client Tunneling Options for the Cisco ASA 5505
The term “All-Or-Nothing” refers to the presence or absence of an access list for split tunneling. The
access list (“ST-list”) distinguishes networks that require tunneling from those that do not.
Specifying the Tunnel Group or Trustpoint
When configuring the Cisco ASA 5505 as an Easy VPN hardware client, you can specify a tunnel group
or trustpoint configured on the Easy VPN server, depending on the Easy VPN server configuration. See
the section that names the option you want to use:
• Specifying the Tunnel Group
• Specifying the Trustpoint
Work zone
Public
client
Public
server
Corporate
Phase 2 Tunnels Source proxy
Destination proxy
1) Public to Public
2) Management
a) clear
b) default
c) tunnel
3) Inside to Inside
a) NEM Mode
b) Client mode
Public IP
N/A
Public IP
Public IP
NEM Network
Assign IP
Public IP
N/A
Any or ST-List (*3)
Any or ST-List (*3)
Any or ST-List (*3)
Specified on Client
* Only for ASA or VPN3000 Headends
Configuration factors:
1. Certs or Preshare Keys (Phase 1- main mode or aggressive mode)
2. Mode: Client or NEM
3. All-or-nothing or Split-tunneling
4. Management Tunnels
5. IUA to VPN3000 or ASA headend
153780
To Next Page
Loading...
Need help?
General
