09-11-2019 07:11 AM
Hello,
I have a an IPSEC tunnel between an ASA5510 and PA820. When sourcing ping from 1.1.1.1 to 10.16.40.199, there are no replies. Encapsulated packets do increment on each side of the tunnel, according to each firewall. It appears as if the ASA doesn't know how to return the traffic through the tunnel; however, 1.1.1.1 is reachable from the ASA but the traffic doesn't appear to traverse the tunnel.
I'm using ASDM. Attached are photos of the crypto map(which should instruct this traffic to use the tunnel).
Any help would be appreciated
09-12-2019 06:50 AM
09-12-2019 06:58 AM
I think you have an Access-List applied on DMZ-2 interface in direction.
Can you check that as well?
Is there any VPN filter configured?
HTH
09-12-2019 07:08 AM - edited 09-12-2019 07:18 AM
Hmm, there is no rule with a source of DMZ-2 to Palo_VPN. Are you implying one is required?
I'm not familiar with ASA vpn filters. How would I check for this. Thank you
09-12-2019 07:23 AM
09-12-2019 07:25 AM
If there is no rule then why your earlier image showed drop on the in direction to DMZ-2 interface?
ANOTHERDENIAL.JPEG
This means that traffic originating from 10.16.40.199 coming in to DMZ-2 is denied.
can you check is there any ACL applied to DMZ-2 inbound direction.
To clear you ASA works on Interface basis ACL IN/OUT direction not with Zone Pair like other vendors.
HTH
09-12-2019 09:13 AM
I'm a little confused.
Traffic wouldn't originate from 10.16.40.199 and be destined for DMZ-2 because 10.16.40.199 is in DMZ-2.
I believe the rule in my last snapshot would permit traffic into DMZ-2.
I understand. Thanks for the clarification.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide