Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
0
Helpful
3
Replies

VPN IPSec passthrough ASA 5505 (v9.2.4) - connected but no access

Go to solution
OlivierSI
Level 1
Level 1

‎05-30-2016 09:07 AM - edited ‎02-21-2020 08:50 PM

Hello,

Here is my situation :

I'm trying to connect a client VPN IPSec through an ASA 5505 to an other ASA 5505. Actually I can make connection to the VPN but all access are blocked (ping or IP access).

When I use an ISP router directly or at home, I have no problem (ping and IP access follow the firewall rules). Connection and access are allowed.

Schema :

Schema VPN


I attached the both configuration to this post

I updated ASA from 8.2.5 to 8.4.6 and finally 9.2.4 recently. Another ASA 5505 v8.2.5 works well in a both way (VPN connection through ASA and connection VPN through ASA1 to this ASA).

I tried many solution to resolve the problem (static nat/ipsec inspection) but I failed to solve it. I tried to see asp drop captured in ASA1 but I had only "nat-xlate-failed" drop reason.

Thank you for your help because I will become crazy...

Olivier,

Ps : sorry for my english...

Labels:
Preview file
26 KB
Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-30-2016 10:07 AM

Hi Olivier,

Could you allow icmp inspection on both the ASA's ?

Use this command and check :

fixup protocol icmp

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-30-2016 10:07 AM

Hi Olivier,

Could you allow icmp inspection on both the ASA's ?

Use this command and check :

fixup protocol icmp

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
OlivierSI
Level 1
Level 1
In response to Aditya Ganjoo

‎05-30-2016 10:37 AM

Hi Aditya,

You are the best, I'm on it since 2 weeks and you solve it !!! I will perform more test to be sure...

It is too bad this information is not easy to find, I've searched deeply...

Thanks a lot,

Olivier.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to OlivierSI

‎05-30-2016 11:10 AM

Hi Olivier,

Glad to assist. :)

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents