cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1129
Views
0
Helpful
7
Replies

L2L with ASA5525 to ASA5505 only one direction

o.fulbert
Level 1
Level 1

Hi,

    I got two ASA but vpn works only in one direction. Network 172.17.8.0 to 172.17.2.0 ok but not 2.0 to 8.0.

    I ve ckeck nat0 one the asa5505 whit 8.0.5 but not easy to check in 8.6 of the ASA5525.

    some have idea ?

1 Accepted Solution

Accepted Solutions

Hi

I found this configuration on ASA-5505

no sysopt connection permit-vpn

It means that your firewall wont permit connections that are coming through VPN through the OUTSIDE interface without first checking the ACL of the OUTSIDE interface.

Since you dont have any ACL on the OUTSIDE interface on the ASA-5505, the firewall wont let connections through from the ASA-5525 direction.

Can you issue the command "sysopt connection permit-vpn"  on ASA-5505 and try again

- Jouni

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Didnt we look at this L2L VPN connection earlier in the below thread on the forums?

https://supportforums.cisco.com/thread/2189848

At the end of the thread you stated that it works. Or I understood that ICMP was working through the L2L VPN

I wonder why it isnt working anymore?

- Jouni

This to my understanding handles the NAT0 type configuration for the 8.6 software ASA

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup

- Jouni

It works but only in one direction. I me trying to setup a printer on net172.17.8.0 and i discover that only in one direction....

Thks

Hi

I found this configuration on ASA-5505

no sysopt connection permit-vpn

It means that your firewall wont permit connections that are coming through VPN through the OUTSIDE interface without first checking the ACL of the OUTSIDE interface.

Since you dont have any ACL on the OUTSIDE interface on the ASA-5505, the firewall wont let connections through from the ASA-5525 direction.

Can you issue the command "sysopt connection permit-vpn"  on ASA-5505 and try again

- Jouni

Alternative would be to make an ACL on the OUTSIDE interface of the ASA-5505 and allow the traffic you need to allow between networks 172.17.2.0/24 and 172.17.8.0/24

- Jouni

Well,

     Good ! Thks a lot !

Glad its working again

Good that its wasnt anything harder to correct.

- Jouni