[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Cisco ASA5510 to Cisco 877W EasyVPN ROUTING issue

Posted on 2009-02-21
Medium Priority
Last Modified: 2012-05-06
Hello All,
This is one of those problems that has had me scratching my head for a day or so....

We currently have two sites.  One HQ and one remote site.
The HQ has a Cisco ASA5510 firewall on a leased line and the remote site has a Cisco 877W connected to the internet by ADSL.
We have established a VPN between the two sites and this is connected fine. We use EasyVPN with NEM.
However, something is wrong with the routing.
We are unable to ping anything at the HQ from the remote site and vice versa.

(IP addressing changed)
Our HQ ASA IP is 213.131.555.555 connected to the internet router on 213.131.555.556
Our remote site IP is 94.30.555.555.
Internal HQ address of firewall is
Internal remote office vlan1 ip is

We cannot ping the firewall from the branch office.
We cannot ping the vlan1 IP from the ASA firewall.

More info can be provided if needed.  

(HQ Firewall clean running-config)
ASA Version 7.2(4) 
hostname FIREWALL
domain-name firewall.local
enable password **** encrypted
passwd **** encrypted
interface Ethernet0/0
 nameif Inside
 security-level 100
 ip address 
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 nameif Outside
 security-level 100
 ip address 213.131.555.555 
interface Management0/0
 nameif management
 security-level 100
 ip address 
ftp mode passive
dns server-group DefaultDNS
 domain-name firewall.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
access-list RemoteInbound_splitTunnelAcl standard permit any 
access-list Inside_nat0_outbound extended permit ip any 
access-list Inside_nat0_outbound extended permit ip 
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 
access-list Outside_access_in extended permit icmp any any 
access-list Outside_access_in extended permit ip any 213.131.555.555 
access-list Outside_1_cryptomap extended permit ip 
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any 
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
ip local pool Inbound10.50.2.0 mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (Inside) 0 access-list Inside_nat0_outbound
nat (management) 0
access-group Inside_access_in in interface Inside
access-group Outside_access_in in interface Outside
route Inside 1
route Outside 213.131.555.556 1
route Outside 94.30.555.555 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http Outside
http management
http Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set pfs group1
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 94.30.555.400 
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet Inside
telnet Outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config management
dhcpd address management
dhcpd dns interface management
dhcpd domain firewall.local interface management
group-policy RemoteInbound internal
group-policy RemoteInbound attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteInbound_splitTunnelAcl
 default-domain value firewall.local
 nem enable
username admin password **** encrypted privilege 15
username fabincoming password **** encrypted privilege 15
username fabincoming attributes
 vpn-group-policy RemoteInbound
 vpn-access-hours none
 vpn-simultaneous-logins 99
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage enable
 group-lock none
tunnel-group RemoteInbound type ipsec-ra
tunnel-group RemoteInbound general-attributes
 address-pool Inbound10.50.2.0
 default-group-policy RemoteInbound
tunnel-group RemoteInbound ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context

Open in new window

Question by:ArronG

Expert Comment

ID: 23731351
try dropping this command on the asa:

#icmp permit Inside
#management-access inside
#sysopt connection permit-vpn

then try pinging from the remote site again.

Accepted Solution

ArronG earned 0 total points
ID: 24622308
So many experts and no replies !!

Thanks for your suggestions, however, this did not work.
A working solution has now been found.
Closing question.
LVL 35

Expert Comment

by:Ernie Beek
ID: 36902100
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question