Allow 871W EZVPN to access internal network?

ciscocharger · ‎07-13-2010

Hi,

I've inherited some 871W's that are currently configured to establish ezvpn IPSEC connections to a Cisco ASA 5520.

I'm somewhat shaky on IOS...not bad, but by no means an expert.

I need the 871's to be able to contact certain servers on our internal network (inside the ASA) but don't seem to be able to do it:

I can login via ssh to the 871 from IP XXXXX (inside the ASA) but I can't ping back to XXXXX from the IOS command line. I'm certain this is intended by the configuration but don't know where to look (ASA config? 871 config?).

I need to be able to tftp the 871 configs to a server inside the trusted network and also do RADIUS authentication.

Any help is greatly appreciated!

M

(I can post any requested config if needed)

EDIT: Actually I gues the RADIUS part doesn't apply...the ASA does that.

kenrandrews · ‎07-13-2010

Normally you cannot ping from one endpoint of a VPN to another, this is because the traffic has a source IP of the public IP address which normally is not encapsulated by the VPN and so is sent out to the ASA over the Internet not the VPN. In which case it would get blocked. You can adjust the access list that classifies traffic as "interesting" to include the public IP address of the router. Look for the Match Address XXX command under the crypto map config, where XXX is the name or number of an access list. then just modify that access list to include the Public IP of the router.

I might be wrong on this so check two things, first that the ping is sourcing from the Public IP. The second is a little more tricky, I forget where the VPN checks for traffic so if it is on the outside interface you are ok, if it is on the inside interface I am not sure this will work.

Also I am assuming that you want this to work more than once, because otherwise I imagine you would just copy and paste the configs out of SSH.