ASA5510 to ASA5505 Easy VPN Server Client Configuration Sample

A recent configuration of mine…thought I would save the template for
future use. Useful if the ASA5505 has a dynamic IP where you can’t build
a typical site-to-site VPN.

ASA5510 Configuration (Easy VPN Server)

! Assumes local subnet = 10.223.0.0/24
! Assumes remote subnet = 10.0.0.0/24

! isakmp policies
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

! NAT exemptions
access-list NONAT extended permit ip 10.223.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list SD_NONAT

! Defines the remote subnet
access-list US1998 remark ACL for EZ VPN Remote
access-list US1998 extended permit ip 10.223.0.0 255.255.255.0 10.0.0.0 255.255.255.0

! Group policy defines the configuration applied to the EZ VPN Remote client
group-policy EZVPN_GP internal
group-policy EZVPN_GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value US1998
nem enable
webvpn

! Tunnel group is used for initial authentication and to apply group policy
tunnel-group EZVPN_TG type ipsec-ra
tunnel-group EZVPN_TG general-attributes
default-group-policy EZVPN_GP
tunnel-group EZVPN_TG ipsec-attributes
pre-shared-key <group password here>

! EZ VPN remote user account password
username US1998 password <user password here>

crypto dynamic-map DYNAMIC-MAP 5 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 65530 ipsec-isakmp dynamic DYNAMIC-MAP

ASA5505 Configuration (Easy VPN Client)

vpnclient server 5.5.5.5 !(public IP of ASA5510)
vpnclient mode network-extension-mode
vpnclient vpngroup EZVPN_TG password <group password>
vpnclient username  US1998 password <user password>
vpnclient enable