[c-nsp] EasyVPN IOS->ASA55xx
William
willay at gmail.com
Tue Apr 1 04:05:47 EDT 2008
Hi Peter,
The command same-security-traffic permit intra-interface is not in the
config but am I likely to break anything if I use it?
W
On 31/03/2008, Peter Rathlev <peter at rathlev.dk> wrote:
> On Mon, 2008-03-31 at 21:01 +0100, William wrote:
> > I did try the icmp permit commands but that still doesnt fix my issue.
> > I also get DENY's come up in the logs when I try to telnet to the
> > devices over the vpn (on the client 800 end).
>
>
> > > > %ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst
> > > > inside:22.22.22.2 (type 8, code 0)
>
>
> This is an ICMP deny, specifically addressed by the "icmp permit"
> commands. If you get denys from TCP connections the log messages will be
> different. They should actually tell you which ACL denies the traffic.
> (If it says "" it's an implicit deny on an interface without an ACL.)
> Their format (the log message number) could give a clue.
>
> I'm just shooting in the dark, but according to the above message the
> traffic enters and exits the same interface; do you have the
> "same-security-traffic permit intra-interface" command for that?
>
> Otherwise I'm blank. :-)
>
> Regards,
>
> Peter
>
>
>
More information about the cisco-nsp
mailing list