tried all that and from the

gretnapd · ‎11-14-2014

i have a 5510 connected to a 5505 using site to site vpn and can communicate from the internal network of the 5505 to the internal network on the 5510 but not vice versa (also NOTE ping does not work either way).

David Johan Castro Fernandez · ‎11-14-2014

Hello,

I analyzed the configuration, and I saw you have, the phase 1 and phase 2 correctly, and NAT 0:

The output of the main config of the 2 ASAs:

50.192.51.129

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 12.15.83.10
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_10 object SI-DDS-Airport

object-group network DM_INLINE_NETWORK_10
network-object 10.0.2.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0

object network SI-DDS-Airport
subnet 10.0.5.0 255.255.255.0

nat (inside,outside) source static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 destination static SI-DDS-Airport SI-DDS-Airport no-proxy-arp route-lookup

----------------------------------------------------------------
12.15.83.10

crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 50.192.51.129
crypto map outside_map 2 set transform-set ESP-3DES-SHA

access-list outside_cryptomap extended permit ip 10.0.5.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

object-group network DM_INLINE_NETWORK_1
network-object SI-Server-Network 255.255.255.0
network-object SI-LAN-Network 255.255.0.0

name 10.0.2.0 SI-Server-Network
name 172.16.0.0 SI-LAN-Network

access-list inside_nat0_outbound_1 extended permit ip 10.0.5.0 255.255.255.0 SI-Server-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.0.5.0 255.255.255.0 SI-LAN-Network 255.255.0.0

Though I see that on the 5510, you don't have a route to indicate where the 10.0.5.0/24 is:

route outside 10.0.5.0 255.255.255.0 50.192.51.142

Also on the 5505:

I would recommend you to add the routes:

route outside 10.0.2.0 255.255.255.0 12.15.83.9

route outside 172.16.0.0 255.255.0.0 12.15.83.9

Please attach the following:

On the 5505

Run these packet tracers twice after doing the previous changes:

- packet-tracer input inside icmp 10.0.5.25 8 0 10.0.2.25 de

- packet tracer input inside icmp 10.0.5.25 8 0 172.16.0.15 de

Then take these outputs:

- show crypto isakmp sa

- show crypto ipsec sa

If the issue persists, run a capture:

Open a server or computer and doing a constant ping to any hosts on the other side:

capture CAP interface inside match ip host <IP_10.0.5.X> host <IP_10.0.2.X>

Let me know how it works out,

Please don't forget to rate and mark as correct the helpful post!

David Castro,

Regards,

gretnapd · ‎11-18-2014

tried all that and from the output it would appear everything is working properly. however i still cannot ping or access anything on the 5505 network from the 5510 network.

thanks for the help

David Johan Castro Fernandez · ‎11-18-2014

I see, could you please attach the following from both VpN gateways:

- Show crypto ipsec sa peer <Peer_IP_address>

- Show crypto isamkp sa

Also, for a quick test, do this (This would not affect your production):

access-list inside_access permit ip any any

access-group inside_access in interface inside

If this works, you will need to create the access group correctly applied on the inside interface, take a look to this DOC(Access groups)

On both ASAs, tried sending traffic and also attach the packet tracers, so we can see the phases: