I'm setting up a second exchange 2010 server at a DR location and have been experiencing some problems. The two sites are connected via a pair of ASA5510's using the point to point VPN. I want to rules out any possible VPN issues that may be blocking ports and wanted to see if there is an easy way to do this and simply allow all traffic without any restrictions between the two ASAs. I've attached the scrubbed configs here...Ewing is the primary site and DBSi is the DR site. I'd very much appreciate any assistance on this one!
Seems to me atleast that both have the "sysopt" configuration that controls VPN traffic entering the "outside" interface at its default setting
And the default setting is that all traffic entering the ASA through a VPN connection will bypass any ACL attached to "outside" interface.
The command is "sysopt connection permit-vpn". As a default setting it isnt shown when you issue the command "show run sysopt". So you cant really see it in your running configuration.
Personally if I dont get something working after doing the configurations, then I simply rely on either the logs the ASA sends to Syslog server or I monitor the logs realtime through ASDM.
If that doesnt give any clue to what the problem is, I probably configure a capture on the ASA to confirm that when I do see a connection that I also see return traffic for that connection.
I also use the "packet-tracer" command quite often to check that the correct NAT configuration is applied to the connection a user is attempting.
Seems to me atleast that both have the "sysopt" configuration that controls VPN traffic entering the "outside" interface at its default setting
And the default setting is that all traffic entering the ASA through a VPN connection will bypass any ACL attached to "outside" interface.
The command is "sysopt connection permit-vpn". As a default setting it isnt shown when you issue the command "show run sysopt". So you cant really see it in your running configuration.
Personally if I dont get something working after doing the configurations, then I simply rely on either the logs the ASA sends to Syslog server or I monitor the logs realtime through ASDM.
If that doesnt give any clue to what the problem is, I probably configure a capture on the ASA to confirm that when I do see a connection that I also see return traffic for that connection.
I also use the "packet-tracer" command quite often to check that the correct NAT configuration is applied to the connection a user is attempting.
