Cisco ASA5510 to Cisco 877W EasyVPN ROUTING issue

Posted on 2009-02-21
Last Modified: 2012-05-06
Hello All,
This is one of those problems that has had me scratching my head for a day or so....

We currently have two sites.  One HQ and one remote site.
The HQ has a Cisco ASA5510 firewall on a leased line and the remote site has a Cisco 877W connected to the internet by ADSL.
We have established a VPN between the two sites and this is connected fine. We use EasyVPN with NEM.
However, something is wrong with the routing.
We are unable to ping anything at the HQ from the remote site and vice versa.

(IP addressing changed)
Our HQ ASA IP is 213.131.555.555 connected to the internet router on 213.131.555.556
Our remote site IP is 94.30.555.555.
Internal HQ address of firewall is
Internal remote office vlan1 ip is

We cannot ping the firewall from the branch office.
We cannot ping the vlan1 IP from the ASA firewall.

More info can be provided if needed.  

(HQ Firewall clean running-config)

ASA Version 7.2(4) 


hostname FIREWALL

domain-name firewall.local

enable password **** encrypted

passwd **** encrypted



interface Ethernet0/0

 nameif Inside

 security-level 100

 ip address 


interface Ethernet0/1


 no nameif

 no security-level

 no ip address


interface Ethernet0/2


 no nameif

 no security-level

 no ip address


interface Ethernet0/3

 nameif Outside

 security-level 100

 ip address 213.131.555.555 


interface Management0/0

 nameif management

 security-level 100

 ip address 



ftp mode passive

dns server-group DefaultDNS

 domain-name firewall.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object ip

 protocol-object udp

 protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

 protocol-object ip

 protocol-object icmp

 protocol-object udp

 protocol-object tcp

access-list RemoteInbound_splitTunnelAcl standard permit any 

access-list Inside_nat0_outbound extended permit ip any 

access-list Inside_nat0_outbound extended permit ip 

access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 

access-list Outside_access_in extended permit icmp any any 

access-list Outside_access_in extended permit ip any 213.131.555.555 

access-list Outside_1_cryptomap extended permit ip 

access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any 

pager lines 24

logging enable

logging console informational

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

ip local pool Inbound10.50.2.0 mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat (Inside) 0 access-list Inside_nat0_outbound

nat (management) 0

access-group Inside_access_in in interface Inside

access-group Outside_access_in in interface Outside

route Inside 1

route Outside 213.131.555.556 1

route Outside 94.30.555.555 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http Outside

http management

http Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map Outside_dyn_map 20 set pfs group1

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs group1

crypto map Outside_map 1 set peer 94.30.555.400 

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet Inside

telnet Outside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config management


dhcpd address management

dhcpd dns interface management

dhcpd domain firewall.local interface management


group-policy RemoteInbound internal

group-policy RemoteInbound attributes

 wins-server value

 dns-server value

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemoteInbound_splitTunnelAcl

 default-domain value firewall.local

 nem enable

username admin password **** encrypted privilege 15

username fabincoming password **** encrypted privilege 15

username fabincoming attributes

 vpn-group-policy RemoteInbound

 vpn-access-hours none

 vpn-simultaneous-logins 99

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage enable

 group-lock none

tunnel-group RemoteInbound type ipsec-ra

tunnel-group RemoteInbound general-attributes

 address-pool Inbound10.50.2.0

 default-group-policy RemoteInbound




tunnel-group RemoteInbound ipsec-attributes

 pre-shared-key *


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 


service-policy global_policy global

prompt hostname context

Open in new window

Question by:ArronG
    LVL 6

    Expert Comment

    try dropping this command on the asa:

    #icmp permit Inside
    #management-access inside
    #sysopt connection permit-vpn

    then try pinging from the remote site again.
    LVL 3

    Accepted Solution

    So many experts and no replies !!

    Thanks for your suggestions, however, this did not work.
    A working solution has now been found.
    Closing question.
    LVL 35

    Expert Comment

    by:Ernie Beek
    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Suggested Solutions

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now