Chapter 5
Scenario: Easy VPN Hardware Client Configuration
Client Mode and Network Extension Mode
Client Mode, also called Port Address Translation (PAT) mode, isolates all
devices on the Easy VPN Client private network from those on the enterprise
network. The Easy VPN Client performs PAT for all VPN traffic for its inside
hosts. IP address management is neither required for the Easy VPN Client inside
interface or the inside hosts.
NEM makes the inside interface and all inside hosts routable across the enterprise
network over the tunnel. Hosts on the inside network obtain their IP addresses
from an accessible subnet (statically or with DHCP) that is preconfigured with
static IP addresses. PAT does not apply to VPN traffic in NEM. This mode does
not require a VPN configuration for each client. The Cisco ASA 5505 configured
for NEM mode supports automatic tunnel initiation. The configuration must store
the group name, user name, and password.
Automatic tunnel initiation is disabled if secure unit authentication is enabled.
The network and addresses on the private side of the Easy VPN Client are hidden,
and cannot be accessed directly.
The Easy VPN hardware client does not have a default mode. However, if you do
not specify the mode in ASDM, ASDM automatically selects client mode. When
you configure the Easy VPN hardware client using the CLI, you must specify a
mode.
Figure 5-2
shows a sample network topology with the ASA 5505 running in Easy
VPN Client Mode. When configured in Client Mode, devices on the inside
interface of the ASA 5505 cannot be accessed by devices behind the Easy VPN
server.
Cisco ASA 5505 Getting Started Guide
5-3
78-17612-01