Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
4
Replies

ASA ipsec VPN no remote LAN traffic

daxsmiddy
Level 1
Level 1

‎11-12-2018 03:36 PM - edited ‎02-21-2020 09:30 PM

I have a site-to-site VPN configured between two older ASAs (55xx). Tunnel establishes on interesting traffic and at that point, I can ping/telnet to the remote ASA's internal LAN address.

But I'm completely unable to get traffic from the remote LAN to pass back through the VPN, and I can't figure out why.  No guides or previous threads that I've been able to find mention any firewall rules or static routes or anything being needed.  Based on one thread I found yesterday, I've tried removing all static routes relating to the interesting traffic, still no luck.


show ipsec sa peer x.x.x.x
shows me the right acl ( local_network mask remote_network mask)

encaps is a larger number, decaps is a very small number. I assume this is because I'm only getting packets back when I actually ping the remote ASA.

 

I just can't work out what else I need to do to make this work.

 edit: added that after tunnel is established I am able to get to the internal IP of the remote ASA.  

Labels:
0 Helpful
4 Replies 4

daxsmiddy
Level 1
Level 1

‎11-13-2018 11:29 AM

Updated... found the above issue in the downstream routing, oops.
Current situation, tunnel is up, I can ping across, I can ping from any subnet/vlan to any subnet/vlan either way.  In the same vlan/subnet of the local Inside interface, I can RDP/SSH/Telnet/<whatever> across to the subnet of the remote Inside interface.  I can't do anything other than ping to or from any other subnet on either end.  I CAN ping.  Can NOT RDP/anything.

 

Relevant inside configurations...
F1: Inside = 10.1.2.0/24

Other subnets in LAN = 10.1.x.x

 

F2: Inside = 10.10.2.0/24

Other subnets in LAN = 10.10.x.x

 

Examples:

Behind F1, 10.1.2.31 can ping any 10.10.0.0/16 IP.

10.1.2.31 can not connect any other services to 10.10.0.0/16

 

Same behind F2, but in reverse.

 

0 Helpful

AndreaTornaghi
Level 1
Level 1
In response to daxsmiddy

‎11-13-2018 11:43 AM

Dear, 

 

could you share some configuration about VPN?

Are you using ACL interface for filtering the traffic or you doing ACL bypass via sysopt permit vpn-connection?

0 Helpful

daxsmiddy
Level 1
Level 1
In response to AndreaTornaghi

‎11-13-2018 12:28 PM

I have entered the sysopt connection permit-vpn command on both ends. However, I don't see it in the running-config for either device.

I can share the configs... I'm just not sure which parts are relevant to the vpn tunnel. I'm mostly managing via ADSM.
0 Helpful

AndreaTornaghi
Level 1
Level 1
In response to daxsmiddy

‎11-13-2018 12:33 PM

Yep, maybe you can share it so we can help you.

0 Helpful
Customers Also Viewed These Support Documents