[c-nsp] EasyVPN IOS->ASA55xx

William willay at gmail.com
Mon Mar 31 16:01:15 EDT 2008


Hi Peter,

I did try the icmp permit commands but that still doesnt fix my issue.
I also get DENY's come up in the logs when I try to telnet to the
devices over the vpn (on the client 800 end).

Regards,

William

On 31/03/2008, Peter Rathlev <peter at rathlev.dk> wrote:
> Hi William,
>
>
>  On Mon, 2008-03-31 at 14:24 +0100, William wrote:
>  > Hi List,
>  >
>  > With the help of Kaj I was able to resolve the authentication issue.
>  >
>  > I'm now having an access-list issue I think...
>  >
>  > It seems the user can connect from behind their 800 router to our
>  > network but we cannot make a connection back to them, the behavior is
>  > like when you have EasyVPN on 'client mode'.
>  >
>  > For example when we try to ping we get:
>  >
>  > %ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst
>  > inside:22.22.22.2 (type 8, code 0)
>
>
> Do you have the "icmp permit <net> <type> <interface>" commands in your
>  configuration?
>
>
>  > There was no access-list applied to the inside, so I did the following
>  > for testing:
>  >
>  > access-list inside_access_in extended permit ip any any
>  >
>  > then
>  >
>  > access-group inside_access_in in interface inside
>  >
>  > The access-list is getting hit but I'm still getting denys in the logs.
>  >
>  > I can't see what else could be stopping the packets?
>
>
> You have to allow ICMP separately, an ACL entry is not enough I'm
>  afraid. A little un-intuitive, but that's Cisco. :-)
>
>  Regards,
>
> Peter
>
>
>


More information about the cisco-nsp mailing list