RE: EzVPN working in just single way

From: CCIE <ccie_at_axizo.com>
Date: Sun, 30 Aug 2009 14:06:45 +0300

ciscoasa# show crypto ipsec sa

interface: outside

    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 217.66.248.34

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port):
(192.168.150.20/255.255.255.255/0/0)

      current_peer: 83.244.99.248, username:

      dynamic allocated peer ip: 192.168.150.20

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 287, #pkts decrypt: 287, #pkts verify: 287

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 217.66.248.34/4500, remote crypto endpt.:
83.244.99.248/53286

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: F2671A3C

    inbound esp sas:

      spi: 0x65AC6C81 (1705798785)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel, NAT-T-Encaps, }

         slot: 0, conn_id: 41, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 27600

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xF2671A3C (4066843196)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel, NAT-T-Encaps, }

         slot: 0, conn_id: 41, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 27599

         IV size: 8 bytes

         replay detection support: Y

From: Farrukh Haroon [mailto:farrukhharoon_at_gmail.com]
Sent: Sunday, August 30, 2009 2:04 PM
To: CCIE
Cc: Joseph L. Brunner; ccielab_at_groupstudy.com
Subject: Re: EzVPN working in just single way

Please post the output of

show crypto ipsec sa (removing any senstive information) from the ASA

Also on the VPN client's 'statistics' do you see both encr and decr cout
increase (when you ping)?

2009/8/30 CCIE <ccie_at_axizo.com>

Even I tried.. I tried to ping 10.0.2.1 hnot working.

While 10.0.2.1 can ping 192.168.150.20 hWorks perfectly

From: Farrukh Haroon [mailto:farrukhharoon_at_gmail.com]
Sent: Sunday, August 30, 2009 1:56 PM
To: CCIE
Cc: Joseph L. Brunner; ccielab_at_groupstudy.com
Subject: Re: EzVPN working in just single way

Don't try to ping the ASA IP itself, try to ping any other server on the
inside.

On Sun, Aug 30, 2009 at 1:51 PM, CCIE <ccie_at_axizo.com> wrote:

Dear Joseph,
I verified all of these, and if you don't mind please have a look at what I
have:-

ciscoasa# show run nat
nat (inside) 0 access-list inside_nat0_outbound

ciscoasa# show run access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip any 192.168.150.0
255.255.255.0

ciscoasa# sho run ip local pool
ip local pool bank 192.168.150.20-192.168.150.30 mask 255.255.255.0

MY pc got the IP 192.168.150.20, I can't ping the inside interface of the
ASA,,,, while I can see it arrive to the ASA using show crypo ipsec sa...

Anyone from the inside can ping me.

Regards,
Amin

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of

Joseph L. Brunner
Sent: Sunday, August 30, 2009 1:26 PM
To: CCIE; ccielab_at_groupstudy.com
Subject: RE: EzVPN working in just single way

Please confirm acl's on the asa inside or other interface facing the
resources.
Please confirm nat is not occurring for your pool address.
Please confirm internal network knows how to get back to the ASA pool
address your leasing.

Please post the results of

Show run nat
Show access-list
Show run access-group

From any internal routers

Post the result of "show ip route <pool ip>

Thanks,

Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of CCIE
Sent: Sunday, August 30, 2009 6:17 AM
To: ccielab_at_groupstudy.com
Subject: EzVPN working in just single way

Hi experts,

I have setup and EzVPN between ASA and VPN client software, the VPN client
can connect and establish a VPN session with the VPN server, the devices
behind the VPN server can ping and access any resources on my PC, but I
still can't access any resource from the server side, even once I run show
crypto ipsec sa it shows me that the server side is getting that traffic and
decrypt it.

Regards,

Amin

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
Received on Sun Aug 30 2009 - 14:06:45 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART