Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1126
Views
0
Helpful
7
Replies

L2L with ASA5525 to ASA5505 only one direction

Go to solution
o.fulbert
Level 1
Level 1

‎01-09-2013 11:53 AM

Hi,

    I got two ASA but vpn works only in one direction. Network 172.17.8.0 to 172.17.2.0 ok but not 2.0 to 8.0.

    I ve ckeck nat0 one the asa5505 whit 8.0.5 but not easy to check in 8.6 of the ASA5525.

    some have idea ?

Labels:
141058-ASA5505.txt.zip
141059-ASA5525.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to o.fulbert

‎01-09-2013 12:07 PM

Hi

I found this configuration on ASA-5505

no sysopt connection permit-vpn

It means that your firewall wont permit connections that are coming through VPN through the OUTSIDE interface without first checking the ACL of the OUTSIDE interface.

Since you dont have any ACL on the OUTSIDE interface on the ASA-5505, the firewall wont let connections through from the ASA-5525 direction.

Can you issue the command "sysopt connection permit-vpn"  on ASA-5505 and try again

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-09-2013 11:59 AM

Hi,

Didnt we look at this L2L VPN connection earlier in the below thread on the forums?

https://supportforums.cisco.com/thread/2189848

At the end of the thread you stated that it works. Or I understood that ICMP was working through the L2L VPN

I wonder why it isnt working anymore?

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-09-2013 11:59 AM

This to my understanding handles the NAT0 type configuration for the 8.6 software ASA

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup

- Jouni

0 Helpful

Go to solution
o.fulbert
Level 1
Level 1
In response to Jouni Forss

‎01-09-2013 12:02 PM

It works but only in one direction. I me trying to setup a printer on net172.17.8.0 and i discover that only in one direction....

Thks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to o.fulbert

‎01-09-2013 12:07 PM

Hi

I found this configuration on ASA-5505

no sysopt connection permit-vpn

It means that your firewall wont permit connections that are coming through VPN through the OUTSIDE interface without first checking the ACL of the OUTSIDE interface.

Since you dont have any ACL on the OUTSIDE interface on the ASA-5505, the firewall wont let connections through from the ASA-5525 direction.

Can you issue the command "sysopt connection permit-vpn"  on ASA-5505 and try again

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-09-2013 12:10 PM

Alternative would be to make an ACL on the OUTSIDE interface of the ASA-5505 and allow the traffic you need to allow between networks 172.17.2.0/24 and 172.17.8.0/24

- Jouni

0 Helpful

Go to solution
o.fulbert
Level 1
Level 1
In response to Jouni Forss

‎01-09-2013 12:13 PM

Well,

     Good ! Thks a lot !

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to o.fulbert

‎01-09-2013 12:15 PM

Glad its working again

Good that its wasnt anything harder to correct.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents