Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3174
Views
0
Helpful
7
Replies

Site to Site ASA VPN, 1 subnet only working 1 way

ktwaddell
Level 1
Level 1

‎11-24-2011 02:38 AM

Hi

I have a 5505 connected to 5510 via a site to site VPN, the vpn has 5 subnets on the acl list at both ends, but 2 of the subnets are assigned for remote access on the main 5510, which means the flow of traffic on these 2 subnets are main to remote, but the VPN only works if the traffic starts from remote to main.

both sides are set to bidirectional and I'm not sure if this is the case for all 5 subnets has remote site always sends data to the other 3 subnets first.

Any ideas?

Thanks

Kev

Labels:
0 Helpful
7 Replies 7

Diego Armando Cambronero Arias
Level 3
Level 3

‎11-24-2011 06:38 AM

Is the NONAT configured in both units?

Pos the config

0 Helpful

ktwaddell
Level 1
Level 1
In response to Diego Armando Cambronero Arias

‎11-24-2011 08:56 AM

Hi

Yes it is, the subnets are apart of the same nat acl at both ends.

At home now, so would have to post the config tomorrow morning if no one knows what it is by then.

Just to confirm the VPN comes up fine, but traffic only flows both ways once the remote end starts it off.

Thanks

Kev

0 Helpful

mopaul
Cisco Employee
Cisco Employee
In response to ktwaddell

‎11-25-2011 04:25 AM

seems like you have overlapping subnets on main site (ASA5510) which might have more than one tunnels terminating on it, will review the config from ASA5505 and ASA 5510 once u post them

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful

ktwaddell
Level 1
Level 1
In response to mopaul

‎11-25-2011 04:53 AM

how do I attached the config, I have button for url, image and video., but no file/document icon

0 Helpful

mopaul
Cisco Employee
Cisco Employee
In response to ktwaddell

‎11-25-2011 05:29 AM

yeah, even i don't see it here... pardon me, i am back on forums after more than a year and yet to familiar with this make over.

see if you can paste the configuration here... i am looking for IP/interfaces , VPN, and NAT... rest other configurations can be removed...

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful

ktwaddell
Level 1
Level 1
In response to mopaul

‎12-07-2011 11:41 PM

Hi

Sorry I was waiting for a change window to remove over lapping subnets I had on the VPN, however this hasn't sorted it.

well i found out how to attach a text file, just edit the post and it lets you do it!!!

Reminder

VPN is up, but can't access the remote site subnet until the remote makes a connection 1st.

main site config

thanks

kev

118568-running-config.cfg.zip
0 Helpful

mudjain
Level 1
Level 1

‎11-25-2011 10:18 AM

Please check if the remote site is behind a NATing device, if so, is there a portforwarding for UDP 500 and 4500 configured or not, if not please do that and life should be good.

static 1 to 1 nat with public peering IP is obviously good.

make sure Nat-traversal is enabled on either end.

Please post output of show crypto IPSEC sa when the tunnel is established from the site where you cannot establish tunnel from and show vpn-sessiondb detail L2L filter ip .

Also please mention if there is another firewall in between tunnel initiable site and ISP.

0 Helpful
Customers Also Viewed These Support Documents