[c-nsp] EasyVPN IOS->ASA55xx
Peter Rathlev
peter at rathlev.dk
Mon Mar 31 17:11:00 EDT 2008
On Mon, 2008-03-31 at 21:01 +0100, William wrote:
> I did try the icmp permit commands but that still doesnt fix my issue.
> I also get DENY's come up in the logs when I try to telnet to the
> devices over the vpn (on the client 800 end).
> > > %ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst
> > > inside:22.22.22.2 (type 8, code 0)
This is an ICMP deny, specifically addressed by the "icmp permit"
commands. If you get denys from TCP connections the log messages will be
different. They should actually tell you which ACL denies the traffic.
(If it says "" it's an implicit deny on an interface without an ACL.)
Their format (the log message number) could give a clue.
I'm just shooting in the dark, but according to the above message the
traffic enters and exits the same interface; do you have the
"same-security-traffic permit intra-interface" command for that?
Otherwise I'm blank. :-)
Regards,
Peter
More information about the cisco-nsp
mailing list