[c-nsp] EasyVPN IOS->ASA55xx

William willay at gmail.com
Mon Mar 31 09:24:22 EDT 2008 

Hi List,

With the help of Kaj I was able to resolve the authentication issue.

I'm now having an access-list issue I think...

It seems the user can connect from behind their 800 router to our
network but we cannot make a connection back to them, the behavior is
like when you have EasyVPN on 'client mode'.

For example when we try to ping we get:

%ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst
inside:22.22.22.2 (type 8, code 0)

There was no access-list applied to the inside, so I did the following
for testing:

access-list inside_access_in extended permit ip any any

then

access-group inside_access_in in interface inside

The access-list is getting hit but I'm still getting denys in the logs.

I can't see what else could be stopping the packets?

Regards.






On 26/03/2008, Kaj Niemi <kajtzu at basen.net> wrote:
> Hi,
>
>
>  You need "isakmp ikev1-user-authentication none" under "tunnel-group
>  myGROUP ipsec-attributes". It is advisable to have another group for
>  Easy VPN peers and not mix them with users if you use XAUTH - the
>  latter is used for user authentication while IKE is used for device
>  authentication.
>
>
>
>
>  On Mar 26, 2008, at 13:01, William wrote:
>  > Hi,
>  >
>  > I have a setup which consists of a IOS based router connecting to a
>  > ASA5500 firewall device.
>  >
>  > I've got it working in network extension mode but it requires user
>  > interaction on the router, heres a cut from the log:
>  >
>  > *Mar  3 02:50:28.823: EZVPN(EASYVPN): Pending XAuth Request, Please
>  > enter the following command:
>  > *Mar  3 02:50:28.823: EZVPN: crypto ipsec client ezvpn xauth
>  >
>  > For the tunnel to be established you have to do `crypto ipsec client
>  > ezvpn xauth` from the CLI and enter a username and password.
>  >
>  > Is there any way I can get around doing the above? I dont want the
>  > user to have to enter that, just turn on&go.
>  >
>  > EasyVPN config looks like:
>  >
>  > crypto ipsec client ezvpn EASYVPN
>  > connect auto
>  > group mytunnel key mykey
>  > mode network-extension
>  > peer mypeer
>  > username myusername password mypassword
>  >
>  > ASA:
>  >
>  > group-policy myGROUP attributes
>  > password-storage enable
>  > split-tunnel-policy tunnelspecified
>  > split-tunnel-network-list value ezvpn1
>  > nem enable
>  >
>  > I was under the impression that 'password-storage enable' would do the
>  > trick but I still have to enter the password.
>  >
>  > Any help would be appreciated.
>  >
>  > Regards,
>  >
>  > W
>
> > _______________________________________________
>  > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  > https://puck.nether.net/mailman/listinfo/cisco-nsp
>  > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
>  HTH
>
>  Kaj
>
> --
>  Kaj J. Niemi
>  <kajtzu at basen.net>
>  +358 45 63 12000
>
>
>
>
>

More information about the cisco-nsp mailing list