Solved: you're right, Marvin, it's

xiaoliangyue · ‎08-19-2015

the configurations are pretty straightforward. ping between pc's in two lan's fails. "show crypto isakmp sa" and "show crypto ipsec sa" do have outputs, though.

please refer to attached text files and diagram.

i'm pre-configuring the ASA's, so the outside interfaces are having private ip addresses for now.

any inputs are welcome.

Thanks!

Marvin Rhoads · ‎08-19-2015

Your configurations look straightforward.

Since the Phase 1 and Phase 2 SAs are coming up, the VPN looks correct.

We see encaps leaving ASA1 and decaps at ASA2, however no return traffic appears to be coming in.

I suspect some issue with the host 192.168.102.5. Can you packet capture on it and verify it is receiving the traffic initiated from the host 192.168.101.5 (on ASA1 side) and that it replies using ASA2 as its default gateway?

View solution in original post

Marvin Rhoads · ‎08-19-2015

Your configurations look straightforward.

Since the Phase 1 and Phase 2 SAs are coming up, the VPN looks correct.

We see encaps leaving ASA1 and decaps at ASA2, however no return traffic appears to be coming in.

I suspect some issue with the host 192.168.102.5. Can you packet capture on it and verify it is receiving the traffic initiated from the host 192.168.101.5 (on ASA1 side) and that it replies using ASA2 as its default gateway?

xiaoliangyue · ‎08-19-2015

you're right, Marvin, it's the pc (Windows 7) 192.168.102.5. after I turned Windows Firewall off, ping from the other lan is successful. I thought of the Windows firewall at very beginning. I was able to ping that Win 7 pc from asa2. this fooled me.

thanks Marvin.

site to site vpn via a pair of asa 5505 doesn't pass traffic