Specifying the tunnel group or trustpoint – Cisco ASA 5505 User Manual
Page 1564
71-6
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 71 Configuring Easy VPN Services on the ASA 5505
Specifying the Tunnel Group or Trustpoint
Caution
Cisco does not support the use of the vpnclient management command if a NAT device is
present between the client and the Internet.
•
Use of the
command to specify one of the following modes of operation:
–
client to use Port Address Translation (PAT) mode to isolate the addresses of the inside hosts,
relative to the client, from the enterprise network.
–
network-extension-mode to make those addresses accessible from the enterprise network.
shows the types of tunnels that the Easy VPN client initiates, based on the combination of
the commands you enter.
Figure 71-1
Easy VPN Hardware Client Tunneling Options for the Cisco ASA 5505
The term “All-Or-Nothing” refers to the presence or absence of an access list for split tunneling. The
access list (“ST-list”) distinguishes networks that require tunneling from those that do not.
Specifying the Tunnel Group or Trustpoint
When configuring the Cisco ASA 5505 as an Easy VPN hardware client, you can specify a tunnel group
or trustpoint configured on the Easy VPN server, depending on the Easy VPN server configuration. See
the section that names the option you want to use:
•
•
Work zone
Public
client
Public
server
Corporate
Phase 2 Tunnels
Source proxy
Destination proxy
1) Public to Public
2) Management
a) clear
b) default
c) tunnel
3) Inside to Inside
a) NEM Mode
b) Client mode
Public IP
N/A
Public IP
Public IP
NEM Network
Assign IP
Public IP
N/A
Any or ST-List (*3)
Any or ST-List (*3)
Any or ST-List (*3)
Specified on Client
* Only for ASA or VPN3000 Headends
Configuration factors:
1. Certs or Preshare Keys (Phase 1- main mode or aggressive mode)
2. Mode: Client or NEM
3. All-or-nothing or Split-tunneling
4. Management Tunnels
5. IUA to VPN3000 or ASA headend
153780