ASA EasyVPN setup -- can't ping loopback on CME router

Answered Question
Jul 5th, 2010
User Badges:
  • Bronze, 100 points or more

Hi there,


I'm not sure if this is a firewall issue or something on my router, so I thought I'd start here.  I have an ASA 5505 at home that I'm using as an EasyVPN client for the purpose of connecting a Cisco IP phone to a 2851 CME router.  At the office I have an ASA 5510 that is acting as the EasyVPN server.  The loopback address of the CME router is 10.1.254.254, and the ethernet interfaces of the router are 10.2.100.50 and 10.1.100.1.  The EasyVPN client gets an address of 192.168.100.1 on the EasyVPN server.


From my house, if I hook up a computer to my ASA 5505, the VPN builds and I can ping all my internal hosts (at the office), and I can ping both the interfaces of the router.  If I attempt to ping the router loopback address I get nothing.   If I start at the router and work my way to the EasyVPN server (ASA 5510) I can ping the router loopback address from the main switch, and then from the ASA5510. I think it's a firewall issue because of captures I've setup on both inside interfaces on the ASA's:


If I ping 10.2.100.50 or 10.1.100.1, I see the echo and echo replies on the ASA5505, and I see them on the ASA5510 -- successfully traversing the VPN tunnel.


If I ping 10.1.254.254, I see the echo request at the ASA5505, but I don't see anything on the ASA5510.


I've checked my nat_exemption on the ASA5510 and I have an entry like this:


access-list nat_exemption extended permit ip any 192.168.100.0 255.255.255.128


I can provide more configs if necessary, but does anyone have any ideas where I'm going wrong?


Thanks in advance,


Brandon

Correct Answer by Marcin Latosiewicz about 6 years 8 months ago

Brandon,


I'd start by showing us "show crypto ipsec sa" on your home 5505.


Then from the headend we'd need:

--------

show run crypto

show run nat

show run global

show run static

show run tunnel-group

---------


Ideally I would enable logs on informqtional level on both headend and local ASA.

Run the ping and check:


-------

show logg | i 10.1.254.254

-------


We're looking for connections being built or any "deny" messages.


Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marcin Latosiewicz Tue, 07/06/2010 - 06:32
User Badges:
  • Cisco Employee,

Brandon,


I'd start by showing us "show crypto ipsec sa" on your home 5505.


Then from the headend we'd need:

--------

show run crypto

show run nat

show run global

show run static

show run tunnel-group

---------


Ideally I would enable logs on informqtional level on both headend and local ASA.

Run the ping and check:


-------

show logg | i 10.1.254.254

-------


We're looking for connections being built or any "deny" messages.


Marcin

branfarm1 Tue, 07/06/2010 - 16:42
User Badges:
  • Bronze, 100 points or more

Marcin,


Thanks for your help -- in the process of gathering the output for the commands you requested, I realized I had added a static NAT for that particular IP.  As soon as I removed the static NAT everything began working properly.


Thanks again for your help.


Brandon

Marcin Latosiewicz Wed, 07/07/2010 - 00:11
User Badges:
  • Cisco Employee,

Brandon,


In theory NAT 0 access-list (nat exemption) should take precedence over static. So that seems a bit odd, but I may be not comprehanding the whole scenario :-)


Marcin

Actions

This Discussion

Related Content