RE: EzVPN working in just single way

If I tried to ping 192.168.100.2 (the inside ip of the ASA) it doesn't
answer, but it passed through the VPN tunnel I verify that with show crypto
ipsec sa,
But if I tried to ping 192.168.100.1 it doesn't pass through the VPN tunnel
I verified that through the show crypto ipsec sa.

Very strange???

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Farrukh Haroon
Sent: Sunday, August 30, 2009 2:14 PM
To: CCIE
Cc: Joseph L. Brunner; ccielab_at_groupstudy.com
Subject: Re: EzVPN working in just single way

As Joseph said, your internal network (10.0.x.x) does not know how to reach
the ASA VPN pool, you need to add a route for the ASA pool on all internal
routers behind the ASA

Hint: What is the default gateway for device 10.0.2.1?
I really doubt that 10.0.2.1 can reach the VPN client based on the output
you gave.

Regards

Farrukh

2009/8/30 CCIE <ccie_at_axizo.com>

> ciscoasa# show crypto ipsec sa
>
> interface: outside
>
> Crypto map tag: outside_dyn_map, seq num: 20, local addr:
217.66.248.34
>
>
>
> local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
>
> remote ident (addr/mask/prot/port): (
> 192.168.150.20/255.255.255.255/0/0)
>
> current_peer: 83.244.99.248, username:
>
> dynamic allocated peer ip: 192.168.150.20
>
>
>
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>
> #pkts decaps: 287, #pkts decrypt: 287, #pkts verify: 287
>
> #pkts compressed: 0, #pkts decompressed: 0
>
> #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed:
0
>
> #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
>
> #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
> reassembly: 0
>
> #send errors: 0, #recv errors: 0
>
>
>
> local crypto endpt.: 217.66.248.34/4500, remote crypto endpt.:
> 83.244.99.248/53286
>
> path mtu 1500, ipsec overhead 66, media mtu 1500
>
> current outbound spi: F2671A3C
>
>
>
> inbound esp sas:
>
> spi: 0x65AC6C81 (1705798785)
>
> transform: esp-3des esp-sha-hmac none
>
> in use settings ={RA, Tunnel, NAT-T-Encaps, }
>
> slot: 0, conn_id: 41, crypto-map: outside_dyn_map
>
> sa timing: remaining key lifetime (sec): 27600
>
> IV size: 8 bytes
>
> replay detection support: Y
>
> outbound esp sas:
>
> spi: 0xF2671A3C (4066843196)
>
> transform: esp-3des esp-sha-hmac none
>
> in use settings ={RA, Tunnel, NAT-T-Encaps, }
>
> slot: 0, conn_id: 41, crypto-map: outside_dyn_map
>
> sa timing: remaining key lifetime (sec): 27599
>
> IV size: 8 bytes
>
> replay detection support: Y
>
>
>
> *From:* Farrukh Haroon [mailto:farrukhharoon_at_gmail.com]
> *Sent:* Sunday, August 30, 2009 2:04 PM
>
> *To:* CCIE
> *Cc:* Joseph L. Brunner; ccielab_at_groupstudy.com
> *Subject:* Re: EzVPN working in just single way
>
>
>
> Please post the output of
>
>
>
> show crypto ipsec sa (removing any senstive information) from the ASA
>
>
>
> Also on the VPN client's 'statistics' do you see both encr and decr cout
> increase (when you ping)?
>
>
>
>
>
> 2009/8/30 CCIE <ccie_at_axizo.com>
>
> Even I tried.. I tried to ping 10.0.2.1 hnot working.
>
> While 10.0.2.1 can ping 192.168.150.20 hWorks perfectly
>
>
>
> *From:* Farrukh Haroon [mailto:farrukhharoon_at_gmail.com]
> *Sent:* Sunday, August 30, 2009 1:56 PM
> *To:* CCIE
> *Cc:* Joseph L. Brunner; ccielab_at_groupstudy.com
> *Subject:* Re: EzVPN working in just single way
>
>
>
> Don't try to ping the ASA IP itself, try to ping any other server on the
> inside.
>
> On Sun, Aug 30, 2009 at 1:51 PM, CCIE <ccie_at_axizo.com> wrote:
>
> Dear Joseph,
> I verified all of these, and if you don't mind please have a look at what
I
> have:-
>
> ciscoasa# show run nat
> nat (inside) 0 access-list inside_nat0_outbound
>
> ciscoasa# show run access-list inside_nat0_outbound
> access-list inside_nat0_outbound extended permit ip any 192.168.150.0
> 255.255.255.0
>
> ciscoasa# sho run ip local pool
> ip local pool bank 192.168.150.20-192.168.150.30 mask 255.255.255.0
>
> MY pc got the IP 192.168.150.20, I can't ping the inside interface of the
> ASA,,,, while I can see it arrive to the ASA using show crypo ipsec sa...
>
> Anyone from the inside can ping me.
>
>
> Regards,
> Amin
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>
> Joseph L. Brunner
> Sent: Sunday, August 30, 2009 1:26 PM
> To: CCIE; ccielab_at_groupstudy.com
> Subject: RE: EzVPN working in just single way
>
> Please confirm acl's on the asa inside or other interface facing the
> resources.
> Please confirm nat is not occurring for your pool address.
> Please confirm internal network knows how to get back to the ASA pool
> address your leasing.
>
> Please post the results of
>
> Show run nat
> Show access-list
> Show run access-group
>
> From any internal routers
>
> Post the result of "show ip route <pool ip>
>
> Thanks,
>
> Joe
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> CCIE
> Sent: Sunday, August 30, 2009 6:17 AM
> To: ccielab_at_groupstudy.com
> Subject: EzVPN working in just single way
>
> Hi experts,
>
>
>
> I have setup and EzVPN between ASA and VPN client software, the VPN client
> can connect and establish a VPN session with the VPN server, the devices
> behind the VPN server can ping and access any resources on my PC, but I
> still can't access any resource from the server side, even once I run show
> crypto ipsec sa it shows me that the server side is getting that traffic
> and
> decrypt it.
>
>
>
> Regards,
>
> Amin
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature
> database 4314 (20090807) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature
> database 4314 (20090807) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Aug 30 2009 - 21:15:01 ART