RE: EzVPN working in just single way

Hi,

Did you check that you don't have this statement in your running config:

no sysopt connection permit-vpn

Did you also verify if you have 'management-access inside' turned on. Try the following debug and terminal logging to gather more information.

Logging monitor informational
Logging class vpn monitor debug
Term mon

Then connect up and start your pings, any translation or ACLs errors should be picked up from the informational monitor. The class vpn monitor debug should display anything funky about the connection if it exists.

If what you're saying is correct that other machines in on your network can ping VPN hosts, but VPN hosts cannot ping in, it really sounds like 'sysopt connection permit-vpn'.

Let us know what you find.

-ryan

-----Original Message-----
From: CCIE [mailto:ccie_at_axizo.com]
Sent: Sunday, August 30, 2009 2:10 PM
To: Ryan West; 'Farrukh Haroon'
Cc: 'Joseph L. Brunner'; ccielab_at_groupstudy.com
Subject: RE: EzVPN working in just single way

If I tried the inside IP of the ASA, it appears that the ping passed through
the VPN, I can verify that with show crypto ipsec sa, but if I tried to ping
any on the inside IPs it don't pass through the VPN tunnel.?
I still can't allow ping the inside through the VPN tunnel, if you can give
me more hits..

-----Original Message-----
From: Ryan West [mailto:rwest_at_zyedge.com]
Sent: Sunday, August 30, 2009 4:00 PM
To: Farrukh Haroon
Cc: CCIE; Joseph L. Brunner; ccielab_at_groupstudy.com
Subject: Re: EzVPN working in just single way

Do you sysopt connection permit-VPN turned off. If so, you'll need to
explicitly allow your vpnpool access to your internal network.

Sent from handheld.

On Aug 30, 2009, at 7:11 AM, "Farrukh Haroon"
<farrukhharoon_at_gmail.com> wrote:

> Please post the output of
>
> show crypto ipsec sa (removing any senstive information) from the ASA
>
> Also on the VPN client's 'statistics' do you see both encr and decr
> cout
> increase (when you ping)?
>
>
>
> 2009/8/30 CCIE <ccie_at_axizo.com>
>
>> Even I tried.. I tried to ping 10.0.2.1 hnot working.
>>
>> While 10.0.2.1 can ping 192.168.150.20 hWorks perfectly
>>
>>
>>
>> *From:* Farrukh Haroon [mailto:farrukhharoon_at_gmail.com]
>> *Sent:* Sunday, August 30, 2009 1:56 PM
>> *To:* CCIE
>> *Cc:* Joseph L. Brunner; ccielab_at_groupstudy.com
>> *Subject:* Re: EzVPN working in just single way
>>
>>
>>
>> Don't try to ping the ASA IP itself, try to ping any other server
>> on the
>> inside.
>>
>> On Sun, Aug 30, 2009 at 1:51 PM, CCIE <ccie_at_axizo.com> wrote:
>>
>> Dear Joseph,
>> I verified all of these, and if you don't mind please have a look
>> at what I
>> have:-
>>
>> ciscoasa# show run nat
>> nat (inside) 0 access-list inside_nat0_outbound
>>
>> ciscoasa# show run access-list inside_nat0_outbound
>> access-list inside_nat0_outbound extended permit ip any 192.168.150.0
>> 255.255.255.0
>>
>> ciscoasa# sho run ip local pool
>> ip local pool bank 192.168.150.20-192.168.150.30 mask 255.255.255.0
>>
>> MY pc got the IP 192.168.150.20, I can't ping the inside interface
>> of the
>> ASA,,,, while I can see it arrive to the ASA using show crypo ipsec
>> sa...
>>
>> Anyone from the inside can ping me.
>>
>>
>> Regards,
>> Amin
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>> Behalf Of
>>
>> Joseph L. Brunner
>> Sent: Sunday, August 30, 2009 1:26 PM
>> To: CCIE; ccielab_at_groupstudy.com
>> Subject: RE: EzVPN working in just single way
>>
>> Please confirm acl's on the asa inside or other interface facing the
>> resources.
>> Please confirm nat is not occurring for your pool address.
>> Please confirm internal network knows how to get back to the ASA pool
>> address your leasing.
>>
>> Please post the results of
>>
>> Show run nat
>> Show access-list
>> Show run access-group
>>
>> From any internal routers
>>
>> Post the result of "show ip route <pool ip>
>>
>> Thanks,
>>
>> Joe
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>> Behalf Of
>> CCIE
>> Sent: Sunday, August 30, 2009 6:17 AM
>> To: ccielab_at_groupstudy.com
>> Subject: EzVPN working in just single way
>>
>> Hi experts,
>>
>>
>>
>> I have setup and EzVPN between ASA and VPN client software, the VPN
>> client
>> can connect and establish a VPN session with the VPN server, the
>> devices
>> behind the VPN server can ping and access any resources on my PC,
>> but I
>> still can't access any resource from the server side, even once I
>> run show
>> crypto ipsec sa it shows me that the server side is getting that
>> traffic
>> and
>> decrypt it.
>>
>>
>>
>> Regards,
>>
>> Amin
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
 

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
 

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>> __________ Information from ESET NOD32 Antivirus, version of virus
>> signature
>> database 4314 (20090807) __________
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>> __________ Information from ESET NOD32 Antivirus, version of virus
>> signature
>> database 4314 (20090807) __________
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
 

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
 

> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4314 (20090807) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Blogs and organic groups at http://www.ccie.net
Received on Sun Aug 30 2009 - 17:29:53 ART