cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
122
Views
0
Helpful
2
Replies
Highlighted
Beginner

site to site vpn via a pair of asa 5505 doesn't pass traffic

the configurations are pretty straightforward. ping between pc's in two lan's fails. "show crypto isakmp sa" and "show crypto ipsec sa" do have outputs, though.

please refer to attached text files and diagram.

i'm pre-configuring the ASA's, so the outside interfaces are having private ip addresses for now.

any inputs are welcome. 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Your configurations look straightforward.

Since the Phase 1 and Phase 2 SAs are coming up, the VPN looks correct.

We see encaps leaving ASA1 and decaps at ASA2, however no return traffic appears to be coming in.

I suspect some issue with the host 192.168.102.5. Can you packet capture on it and verify it is receiving the traffic initiated from the host 192.168.101.5 (on ASA1 side) and that it replies using ASA2 as its default gateway?

View solution in original post

2 REPLIES 2
Highlighted
Hall of Fame Guru

Your configurations look straightforward.

Since the Phase 1 and Phase 2 SAs are coming up, the VPN looks correct.

We see encaps leaving ASA1 and decaps at ASA2, however no return traffic appears to be coming in.

I suspect some issue with the host 192.168.102.5. Can you packet capture on it and verify it is receiving the traffic initiated from the host 192.168.101.5 (on ASA1 side) and that it replies using ASA2 as its default gateway?

View solution in original post

Highlighted

you're right, Marvin, it's the pc (Windows 7) 192.168.102.5. after I turned Windows Firewall off, ping from the other lan is successful. I thought of the Windows firewall at very beginning. I was able to ping that Win 7 pc from asa2. this fooled me.

thanks Marvin.

Content for Community-Ad