[c-nsp] EasyVPN IOS->ASA55xx
William
willay at gmail.com
Mon Mar 31 16:01:15 EDT 2008
Hi Peter,
I did try the icmp permit commands but that still doesnt fix my issue.
I also get DENY's come up in the logs when I try to telnet to the
devices over the vpn (on the client 800 end).
Regards,
William
On 31/03/2008, Peter Rathlev <peter at rathlev.dk> wrote:
> Hi William,
>
>
> On Mon, 2008-03-31 at 14:24 +0100, William wrote:
> > Hi List,
> >
> > With the help of Kaj I was able to resolve the authentication issue.
> >
> > I'm now having an access-list issue I think...
> >
> > It seems the user can connect from behind their 800 router to our
> > network but we cannot make a connection back to them, the behavior is
> > like when you have EasyVPN on 'client mode'.
> >
> > For example when we try to ping we get:
> >
> > %ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst
> > inside:22.22.22.2 (type 8, code 0)
>
>
> Do you have the "icmp permit <net> <type> <interface>" commands in your
> configuration?
>
>
> > There was no access-list applied to the inside, so I did the following
> > for testing:
> >
> > access-list inside_access_in extended permit ip any any
> >
> > then
> >
> > access-group inside_access_in in interface inside
> >
> > The access-list is getting hit but I'm still getting denys in the logs.
> >
> > I can't see what else could be stopping the packets?
>
>
> You have to allow ICMP separately, an ACL entry is not enough I'm
> afraid. A little un-intuitive, but that's Cisco. :-)
>
> Regards,
>
> Peter
>
>
>
More information about the cisco-nsp
mailing list