03-31-2023 12:05 PM
ASDM user - Configured site=to-site using FP1120 but traffic is not flowing to vlans which are identical other than 2nd octet at both locations. Both crypto map and Profiles are using same encyrtion and NAT exception. But I am unable to ping or rdp anything from site to site. Lastly, there are ACL rules in place to allow traffic. What am I missing?
03-31-2023 12:08 PM
Both sites have ASA 1120 BTW. I have confirmed the tunnel is up by looking at monitoring/sessions. I can see the tunnel active.
03-31-2023 12:11 PM
Acl in one side must mirror not must be same'
Are you sure config acl for ipsec correct?
03-31-2023 12:51 PM
When looking at the ACL Manager under Site to Site, I do see differences. Is this what you are referring to?
03-31-2023 12:52 PM
Can you share acl of both sides?
03-31-2023 01:02 PM
Unfortunately, not on a forum. But here is an error:
5 | Mar 31 2023 | 15:59:12 | 305013 | 10.167.x.x | 49906 | 10.166.x.x | 3389 | Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.167.x.x/49906 dst lcot:10.166.10.35/3389 denied due to NAT reverse path failure |
03-31-2023 01:07 PM
that simple
you use exception NAT but there is other NAT above it effect the return traffic
only check the order the order of NAT you config
04-04-2023 08:55 AM
Hello,
post the NAT rules for both sides (change the IP addresses and interface names if you don't want them to be public).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide