ASA EasyVPN setup -- can't ping loopback on CME router
I'm not sure if this is a firewall issue or something on my router, so I thought I'd start here. I have an ASA 5505 at home that I'm using as an EasyVPN client for the purpose of connecting a Cisco IP phone to a 2851 CME router. At the office I have an ASA 5510 that is acting as the EasyVPN server. The loopback address of the CME router is 10.1.254.254, and the ethernet interfaces of the router are 10.2.100.50 and 10.1.100.1. The EasyVPN client gets an address of 192.168.100.1 on the EasyVPN server.
From my house, if I hook up a computer to my ASA 5505, the VPN builds and I can ping all my internal hosts (at the office), and I can ping both the interfaces of the router. If I attempt to ping the router loopback address I get nothing. If I start at the router and work my way to the EasyVPN server (ASA 5510) I can ping the router loopback address from the main switch, and then from the ASA5510. I think it's a firewall issue because of captures I've setup on both inside interfaces on the ASA's:
If I ping 10.2.100.50 or 10.1.100.1, I see the echo and echo replies on the ASA5505, and I see them on the ASA5510 -- successfully traversing the VPN tunnel.
If I ping 10.1.254.254, I see the echo request at the ASA5505, but I don't see anything on the ASA5510.
I've checked my nat_exemption on the ASA5510 and I have an entry like this:
access-list nat_exemption extended permit ip any 192.168.100.0 255.255.255.128
I can provide more configs if necessary, but does anyone have any ideas where I'm going wrong?
Thanks for your help -- in the process of gathering the output for the commands you requested, I realized I had added a static NAT for that particular IP. As soon as I removed the static NAT everything began working properly.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...