We have created an easyvpn between the branch ASA5505 and the HQ ASA5510 which is up, however we can ping a host in the HQ network from the branch network but we cannot ping hosts in the branch network from the HQ network. The ASA5505 has been configured in Network Extension Mode but there is not a route for the branch network in the routing table. As the ASA5505 is actually on a private IP address behind the BT ADSL router do I need to enable any static NAT rules or port forwarding? Also should I being using NAT on the ASA5505 or set it up just for routing.
You can ping successfully from left to right but not from right to left.
Had this been a route issue then PING would not have been successful any way.
We need to check:
1. When you ping from right to left (HQ->BR) ,
- does the packet make it to the HQ FW
- Does the HQ FW encrypts it (do you see increasing TX in ipsec sa (sh cry ipsec sa))
- Do you see increasing RX in the BR (sh cry ipsec SA)
- Do you see increasing TX in the BR (if you see this, that means the echo request made it to the destination and echo reply came back - this probably will not be the case since you are here reading this )
- Does the echo request make it to the actual destination
- Do you see echo reply coming out of the destination
Check for any FW on the destination, If Windows XP and if Cisco VPN client installed, check for Stateful FW option in the VPN client. if on turn it off.
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.
The method used for Guest Access is the Self-Registration.
Healt Monitor using HTTP...
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the...
The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and resea...
On Cisco Firepower Threat Defense there are two ways to do SSL Decryption (two actions in the SSL Policy).Decrypt-Resign: for outbound connection (from an inside PC to an external server).Decrypt-Known-Key: for inbound connection (from an external PC to y...
Cisco Secure Endpoint offers several protection engines which fight against threats like ransomware and zero-day.
Are you an admin looking for protection on a short to mid-term basis or beginning to roll out protection across your organisation? The best p...