cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1133
Views
0
Helpful
3
Replies
branfarm1
Enthusiast

ASA EasyVPN setup -- can't ping loopback on CME router

Hi there,

I'm not sure if this is a firewall issue or something on my router, so I thought I'd start here.  I have an ASA 5505 at home that I'm using as an EasyVPN client for the purpose of connecting a Cisco IP phone to a 2851 CME router.  At the office I have an ASA 5510 that is acting as the EasyVPN server.  The loopback address of the CME router is 10.1.254.254, and the ethernet interfaces of the router are 10.2.100.50 and 10.1.100.1.  The EasyVPN client gets an address of 192.168.100.1 on the EasyVPN server.

From my house, if I hook up a computer to my ASA 5505, the VPN builds and I can ping all my internal hosts (at the office), and I can ping both the interfaces of the router.  If I attempt to ping the router loopback address I get nothing.   If I start at the router and work my way to the EasyVPN server (ASA 5510) I can ping the router loopback address from the main switch, and then from the ASA5510. I think it's a firewall issue because of captures I've setup on both inside interfaces on the ASA's:

If I ping 10.2.100.50 or 10.1.100.1, I see the echo and echo replies on the ASA5505, and I see them on the ASA5510 -- successfully traversing the VPN tunnel.

If I ping 10.1.254.254, I see the echo request at the ASA5505, but I don't see anything on the ASA5510.

I've checked my nat_exemption on the ASA5510 and I have an entry like this:

access-list nat_exemption extended permit ip any 192.168.100.0 255.255.255.128

I can provide more configs if necessary, but does anyone have any ideas where I'm going wrong?

Thanks in advance,

Brandon

1 ACCEPTED SOLUTION

Accepted Solutions
Marcin Latosiewicz
Cisco Employee

Brandon,

I'd start by showing us "show crypto ipsec sa" on your home 5505.

Then from the headend we'd need:

--------

show run crypto

show run nat

show run global

show run static

show run tunnel-group

---------

Ideally I would enable logs on informqtional level on both headend and local ASA.

Run the ping and check:

-------

show logg | i 10.1.254.254

-------

We're looking for connections being built or any "deny" messages.

Marcin

View solution in original post

3 REPLIES 3
Marcin Latosiewicz
Cisco Employee

Brandon,

I'd start by showing us "show crypto ipsec sa" on your home 5505.

Then from the headend we'd need:

--------

show run crypto

show run nat

show run global

show run static

show run tunnel-group

---------

Ideally I would enable logs on informqtional level on both headend and local ASA.

Run the ping and check:

-------

show logg | i 10.1.254.254

-------

We're looking for connections being built or any "deny" messages.

Marcin

Marcin,

Thanks for your help -- in the process of gathering the output for the commands you requested, I realized I had added a static NAT for that particular IP.  As soon as I removed the static NAT everything began working properly.

Thanks again for your help.

Brandon

Brandon,

In theory NAT 0 access-list (nat exemption) should take precedence over static. So that seems a bit odd, but I may be not comprehanding the whole scenario :-)

Marcin

Create
Recognize Your Peers
Content for Community-Ad