Core issue

This scenario shows the IPsec tunnel configured between PIX Firewall-A and PIX-B:

LAN A --- PIX-A ---- Internet ---- PIX-B ---LAN B

During IPsec VPN testing, a ping from LAN A to LAN B works fine. But, a ping from LAN B to LAN A does not work.

Resolution

PIX-B imisses the sysopt connection permit-ipsec command. All inbound sessions must be explicitly permitted by an Access Control List (ACL) or a conduit. The sysopt connection permit-ipsec command is issued to permit all inbound IPsec authenticated cipher sessions.

In PIX version 7.x, the sysopt connection permit-ipsec and in ASA version 7.x, the sysopt connection permit-vpn command resolves the one way traffic issue.

This command is not displayed in the running configuration in version 7.x, unlike in version 6.x. Use the show running-config sysopt command in privileged EXEC mode to show the sysopt command configuration in the running configuration.

show running-config sysopt

Note: The sysopt connection permit-ipsec command is not be displayed in the output of the show running-config sysopt command on ASA version 7.x, but is displayed in PIX version 7.x. ASA only displays sysopt connection permit-vpn.

Refer to the Configurations section of Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec for more information.