Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EASy-VPN Between a ASA and a router issue

Hi all,

I am currently having an issue between an ASA and a router, what we have done is a configuration for a easy-VPN between the two devices,

ASA as a Server and the router as the client, the tunnel come up, client can access the resources behind the ASA server, but the problem is from the server side, they cannot access the client side resources.

I did a packet capture and was able to see local (server side) ping been sent but there is no reply from the client side

   1: 13:29:15.048489 x.x.x.x > y.y.y.y.y: icmp: echo request

   2: 13:29:19.553255 x.x.x.x > y.y.y.y.y: icmp: echo request

   3: 13:29:24.552965 x.x.x.x > y.y.y.y.y: icmp: echo request

   4: 13:29:29.553194 x.x.x.x > y.y.y.y.y: icmp: echo request

   5: 13:29:34.553133 x.x.x.x > y.y.y.y.y: icmp: echo request

I will try to see whether the packets does get encrypted or not per sh crp ipse sa,  ones I do I will let you guys know

Client side configuration (IP address and names are changed)

ip dhcp pool DHCPLAN

   network 192.x.x.x

   default-router 192.x.x.x

   dns-server 10.y.y.y1 10.y.y.y2

crypto ipsec client ezvpn aaa

connect auto

group DefaultRAGroup key ############

mode network-extension

peer 212.x.x.x

username aaa password ##########

xauth userid mode local

interface Vlan1

description xxxx

ip address 192.x.x.x

crypto ipsec client ezvpn bbbb inside

interface FastEthernet4

description Privates

ip address dhcp

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn bbbb

********************ASA EASY-VPN Server****************************************

interface Management0/0

nameif management

security-level 100

ip address 192.x.x.x


access-list list standard permit 172.x.x.x. 255.255.x.x

access-list list standard permit 192.x.x.x

nat (inside,outside) source static any any destination static kkkk  kkkk

crypto ipsec abcd transform-set EAZY esp-3des esp-sha-hmac

crypto dynamic-map easy-vpn-dyn 5 set abcd transform-set EAZY

crypto map easy-map 65535 ipsec-isakmp dynamic easy-dyn

crypto map easy-map interface outside

crypto isakmp identity address

crypto abcd enable outside

crypto abcd policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

group-policy DfltGrpPolicy attributes

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value list

nem enable

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

Sorry I had to rename the groups and change the ip address, I might have miss typed or applied incorrect info

Thanks in advance


CreatePlease to create content