cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4556
Views
0
Helpful
20
Replies

Site to Site IPSEC Tunnel between ASA5510 and Palo Alto 820

DamianRC
Level 1
Level 1

Hello,

I have a an IPSEC tunnel between an ASA5510 and PA820. When sourcing ping from 1.1.1.1 to 10.16.40.199, there are no replies. Encapsulated packets do increment on each side of the tunnel, according to each firewall. It appears as if the ASA doesn't know how to return the traffic through the tunnel; however,  1.1.1.1 is reachable from the ASA but the traffic doesn't appear to traverse the tunnel.

 

I'm using ASDM. Attached are photos of the crypto map(which should instruct this traffic to use the tunnel).

Any help would be appreciated

20 Replies 20

10.16.40.199 lives on interface DMZ-2 off of the ASA.

 

If I understand you correctly, you're saying I might need an access-list permitting traffic into dmz-2 from palo_vpn, right? Well, I do have an acl for this that permits anything...

I think you have an Access-List applied on DMZ-2 interface in direction.

Can you check that as well?

Is there any VPN filter configured?

 

HTH

Hmm, there is no rule with a source of DMZ-2 to Palo_VPN. Are you implying one is required?

 

I'm not familiar with ASA vpn filters. How would I check for this. Thank you

here are the rules under the "site-to-site" ACL manager:

If there is no rule then why your earlier image showed drop on the in direction to DMZ-2 interface?

ANOTHERDENIAL.JPEG

 

This means that traffic originating from 10.16.40.199 coming in to DMZ-2 is denied. 

 

can you check is there any ACL applied to DMZ-2 inbound direction. 

 

To clear you ASA works on Interface basis ACL IN/OUT direction not with Zone Pair like other vendors. 

 

HTH

I'm a little confused.

Traffic wouldn't originate from 10.16.40.199 and be destined for DMZ-2 because 10.16.40.199 is in DMZ-2.

I believe the rule in my last snapshot would permit traffic into DMZ-2.

 

I understand. Thanks for the clarification.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: