Re: EzVPN working in just single way from Ryan West on 2009-08-30 (Ccielab archives 08/2009)

From: Ryan West <rwest_at_zyedge.com>
Date: Sun, 30 Aug 2009 09:00:13 -0400

Do you sysopt connection permit-VPN turned off. If so, you'll need to
explicitly allow your vpnpool access to your internal network.

Sent from handheld.

On Aug 30, 2009, at 7:11 AM, "Farrukh Haroon"
<farrukhharoon_at_gmail.com> wrote:

> Please post the output of
>
> show crypto ipsec sa (removing any senstive information) from the ASA
>
> Also on the VPN client's 'statistics' do you see both encr and decr
> cout
> increase (when you ping)?
>
>
>
> 2009/8/30 CCIE <ccie_at_axizo.com>
>
>> Even I tried.. I tried to ping 10.0.2.1 hnot working.
>>
>> While 10.0.2.1 can ping 192.168.150.20 hWorks perfectly
>>
>>
>>
>> *From:* Farrukh Haroon [mailto:farrukhharoon_at_gmail.com]
>> *Sent:* Sunday, August 30, 2009 1:56 PM
>> *To:* CCIE
>> *Cc:* Joseph L. Brunner; ccielab_at_groupstudy.com
>> *Subject:* Re: EzVPN working in just single way
>>
>>
>>
>> Don't try to ping the ASA IP itself, try to ping any other server
>> on the
>> inside.
>>
>> On Sun, Aug 30, 2009 at 1:51 PM, CCIE <ccie_at_axizo.com> wrote:
>>
>> Dear Joseph,
>> I verified all of these, and if you don't mind please have a look
>> at what I
>> have:-
>>
>> ciscoasa# show run nat
>> nat (inside) 0 access-list inside_nat0_outbound
>>
>> ciscoasa# show run access-list inside_nat0_outbound
>> access-list inside_nat0_outbound extended permit ip any 192.168.150.0
>> 255.255.255.0
>>
>> ciscoasa# sho run ip local pool
>> ip local pool bank 192.168.150.20-192.168.150.30 mask 255.255.255.0
>>
>> MY pc got the IP 192.168.150.20, I can't ping the inside interface
>> of the
>> ASA,,,, while I can see it arrive to the ASA using show crypo ipsec
>> sa...
>>
>> Anyone from the inside can ping me.
>>
>>
>> Regards,
>> Amin
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>> Behalf Of
>>
>> Joseph L. Brunner
>> Sent: Sunday, August 30, 2009 1:26 PM
>> To: CCIE; ccielab_at_groupstudy.com
>> Subject: RE: EzVPN working in just single way
>>
>> Please confirm acl's on the asa inside or other interface facing the
>> resources.
>> Please confirm nat is not occurring for your pool address.
>> Please confirm internal network knows how to get back to the ASA pool
>> address your leasing.
>>
>> Please post the results of
>>
>> Show run nat
>> Show access-list
>> Show run access-group
>>
>> From any internal routers
>>
>> Post the result of "show ip route <pool ip>
>>
>> Thanks,
>>
>> Joe
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>> Behalf Of
>> CCIE
>> Sent: Sunday, August 30, 2009 6:17 AM
>> To: ccielab_at_groupstudy.com
>> Subject: EzVPN working in just single way
>>
>> Hi experts,
>>
>>
>>
>> I have setup and EzVPN between ASA and VPN client software, the VPN
>> client
>> can connect and establish a VPN session with the VPN server, the
>> devices
>> behind the VPN server can ping and access any resources on my PC,
>> but I
>> still can't access any resource from the server side, even once I
>> run show
>> crypto ipsec sa it shows me that the server side is getting that
>> traffic
>> and
>> decrypt it.
>>
>>
>>
>> Regards,
>>
>> Amin
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>> __________ Information from ESET NOD32 Antivirus, version of virus
>> signature
>> database 4314 (20090807) __________
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>> __________ Information from ESET NOD32 Antivirus, version of virus
>> signature
>> database 4314 (20090807) __________
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________

> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Aug 30 2009 - 09:00:13 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART