- Bronze, 100 points or more
I'm not sure if this is a firewall issue or something on my router, so I thought I'd start here. I have an ASA 5505 at home that I'm using as an EasyVPN client for the purpose of connecting a Cisco IP phone to a 2851 CME router. At the office I have an ASA 5510 that is acting as the EasyVPN server. The loopback address of the CME router is 10.1.254.254, and the ethernet interfaces of the router are 10.2.100.50 and 10.1.100.1. The EasyVPN client gets an address of 192.168.100.1 on the EasyVPN server.
From my house, if I hook up a computer to my ASA 5505, the VPN builds and I can ping all my internal hosts (at the office), and I can ping both the interfaces of the router. If I attempt to ping the router loopback address I get nothing. If I start at the router and work my way to the EasyVPN server (ASA 5510) I can ping the router loopback address from the main switch, and then from the ASA5510. I think it's a firewall issue because of captures I've setup on both inside interfaces on the ASA's:
If I ping 10.2.100.50 or 10.1.100.1, I see the echo and echo replies on the ASA5505, and I see them on the ASA5510 -- successfully traversing the VPN tunnel.
If I ping 10.1.254.254, I see the echo request at the ASA5505, but I don't see anything on the ASA5510.
I've checked my nat_exemption on the ASA5510 and I have an entry like this:
access-list nat_exemption extended permit ip any 192.168.100.0 255.255.255.128
I can provide more configs if necessary, but does anyone have any ideas where I'm going wrong?
Thanks in advance,
I'd start by showing us "show crypto ipsec sa" on your home 5505.
Then from the headend we'd need:
show run crypto
show run nat
show run global
show run static
show run tunnel-group
Ideally I would enable logs on informqtional level on both headend and local ASA.
Run the ping and check:
show logg | i 10.1.254.254
We're looking for connections being built or any "deny" messages.