Re: VLANS across site-to-site not letting traffic to flow between each

newbutnot · ‎03-31-2023

ASDM user - Configured site=to-site using FP1120 but traffic is not flowing to vlans which are identical other than 2nd octet at both locations. Both crypto map and Profiles are using same encyrtion and NAT exception. But I am unable to ping or rdp anything from site to site. Lastly, there are ACL rules in place to allow traffic. What am I missing?

newbutnot · ‎03-31-2023

Both sites have ASA 1120 BTW. I have confirmed the tunnel is up by looking at monitoring/sessions. I can see the tunnel active.

MHM Cisco World · ‎03-31-2023

Acl in one side must mirror not must be same'

Are you sure config acl for ipsec correct?

newbutnot · ‎03-31-2023

When looking at the ACL Manager under Site to Site, I do see differences. Is this what you are referring to?

MHM Cisco World · ‎03-31-2023

Can you share acl of both sides?

newbutnot · ‎03-31-2023

Unfortunately, not on a forum. But here is an error:

5

Mar 31 2023

15:59:12

305013

10.167.x.x

49906

10.166.x.x

3389

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.167.x.x/49906 dst lcot:10.166.10.35/3389 denied due to NAT reverse path failure

MHM Cisco World · ‎03-31-2023

that simple
you use exception NAT but there is other NAT above it effect the return traffic
only check the order the order of NAT you config

Georg Pauwen · ‎04-04-2023

Hello,

post the NAT rules for both sides (change the IP addresses and interface names if you don't want them to be public).