Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
0
Helpful
3
Replies

ASA EasyVPN setup -- can't ping loopback on CME router

Go to solution
branfarm1
Level 4
Level 4

‎07-05-2010 09:11 PM

Hi there,

I'm not sure if this is a firewall issue or something on my router, so I thought I'd start here.  I have an ASA 5505 at home that I'm using as an EasyVPN client for the purpose of connecting a Cisco IP phone to a 2851 CME router.  At the office I have an ASA 5510 that is acting as the EasyVPN server.  The loopback address of the CME router is 10.1.254.254, and the ethernet interfaces of the router are 10.2.100.50 and 10.1.100.1.  The EasyVPN client gets an address of 192.168.100.1 on the EasyVPN server.

From my house, if I hook up a computer to my ASA 5505, the VPN builds and I can ping all my internal hosts (at the office), and I can ping both the interfaces of the router.  If I attempt to ping the router loopback address I get nothing.   If I start at the router and work my way to the EasyVPN server (ASA 5510) I can ping the router loopback address from the main switch, and then from the ASA5510. I think it's a firewall issue because of captures I've setup on both inside interfaces on the ASA's:

If I ping 10.2.100.50 or 10.1.100.1, I see the echo and echo replies on the ASA5505, and I see them on the ASA5510 -- successfully traversing the VPN tunnel.

If I ping 10.1.254.254, I see the echo request at the ASA5505, but I don't see anything on the ASA5510.

I've checked my nat_exemption on the ASA5510 and I have an entry like this:

access-list nat_exemption extended permit ip any 192.168.100.0 255.255.255.128

I can provide more configs if necessary, but does anyone have any ideas where I'm going wrong?

Thanks in advance,

Brandon

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-06-2010 06:32 AM

Brandon,

I'd start by showing us "show crypto ipsec sa" on your home 5505.

Then from the headend we'd need:

--------

show run crypto

show run nat

show run global

show run static

show run tunnel-group

---------

Ideally I would enable logs on informqtional level on both headend and local ASA.

Run the ping and check:

-------

show logg | i 10.1.254.254

-------

We're looking for connections being built or any "deny" messages.

Marcin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-06-2010 06:32 AM

Brandon,

I'd start by showing us "show crypto ipsec sa" on your home 5505.

Then from the headend we'd need:

--------

show run crypto

show run nat

show run global

show run static

show run tunnel-group

---------

Ideally I would enable logs on informqtional level on both headend and local ASA.

Run the ping and check:

-------

show logg | i 10.1.254.254

-------

We're looking for connections being built or any "deny" messages.

Marcin

0 Helpful

Go to solution
branfarm1
Level 4
Level 4
In response to Marcin Latosiewicz

‎07-06-2010 04:42 PM

Marcin,

Thanks for your help -- in the process of gathering the output for the commands you requested, I realized I had added a static NAT for that particular IP.  As soon as I removed the static NAT everything began working properly.

Thanks again for your help.

Brandon

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to branfarm1

‎07-07-2010 12:11 AM

Brandon,

In theory NAT 0 access-list (nat exemption) should take precedence over static. So that seems a bit odd, but I may be not comprehanding the whole scenario :-)

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents