Hi Guys,
I'm trying to troubleshoot an issue in work and I've hit a wall. We have a client with several locations around the UK. Every location has a Draytek 2710 router and a Cisco ASA5505 on site which we support (there is other equipment connected but we only look after the router & ASA). The router is connected to a standard BT Broadband line and the site is allocated a /29.
About a week ago, our monitoring server was unable to reach one site (router and ASA). We went through the usual troubleshooting (lights on the router, reboots etc), BT confirmed the router was logged in and authenticated however we couldn't "see it" or the ASA. Replacement Draytek was sent out but the same problem.
We have a /26 range at work (x.x.x.192/26). On Sunday I did some further digging and found I could ping, telnet and web browse to the Draytek from my workstation (which is NAT'd to x.x.x.252 on our ASA). I can't reach the ASA at site though.
From the Draytek on site, I can ping the outside address of our ASA and the outside IP (x.x.x.195) that is NAT'd to our monitoring server.
I sent traceroutes to BT as the traceroute from us dies at the hop just before the Draytek. BT said there was nothing wrong with the traceroute and it was a security / access-list problem on our equipment. The Draytek is configured to allow access from x.x.x.192/26 and this matches other sites.
Here's a copy of the traceroutes -
Traceroute from Draytek (81.x.x.70) to our monitoring server (x.x.x.195): ===== - Pastebin.com
Can anyone offer any advice? I don't think it's an access-list / security issue as I can access the Draytek (but not the ASA, although the Draytek can ping the ASA on its public IP) from my PC which is NAT'd to an IP in the range allowed in the access list. BT are saying there's nothing wrong on their side.
