[c-nsp] EasyVPN IOS->ASA55xx
Peter Rathlev
peter at rathlev.dk
Mon Mar 31 15:30:03 EDT 2008
Hi William,
On Mon, 2008-03-31 at 14:24 +0100, William wrote:
> Hi List,
>
> With the help of Kaj I was able to resolve the authentication issue.
>
> I'm now having an access-list issue I think...
>
> It seems the user can connect from behind their 800 router to our
> network but we cannot make a connection back to them, the behavior is
> like when you have EasyVPN on 'client mode'.
>
> For example when we try to ping we get:
>
> %ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst
> inside:22.22.22.2 (type 8, code 0)
Do you have the "icmp permit <net> <type> <interface>" commands in your
configuration?
> There was no access-list applied to the inside, so I did the following
> for testing:
>
> access-list inside_access_in extended permit ip any any
>
> then
>
> access-group inside_access_in in interface inside
>
> The access-list is getting hit but I'm still getting denys in the logs.
>
> I can't see what else could be stopping the packets?
You have to allow ICMP separately, an ACL entry is not enough I'm
afraid. A little un-intuitive, but that's Cisco. :-)
Regards,
Peter
More information about the cisco-nsp
mailing list