ASA5505 Easy VPN NEM only works one way

Unanswered Question
Mar 26th, 2009

Hi all,

I've got a one person office using an ASA5505 in NEM. This ASA5505 connects to an ASA5520 at the office. My understanding is that I should be able to connect to any device on the LAN side of the ASA5505 from the LAN side of the ASA5520. I am not able to initiate a connection to any devices from the LAN side of the ASA5520 to the LAN side of the ASA5505. The LAN side of the ASA5505 is able to connect to devices on the LAN side of the 5520. However, if I have a PC on the LAN side of the ASA5505 ping my computer (on the LAN side of the ASA5520), I am able to connect. Essentially, the tunnel only seems to work one way. The logs on the ASA5520 show that it accepts pings on the LAN side but the ASA5505 doesn't receive the ping requests at all. I do have a route to the subnet of the LAN side of the ASA5505 on the default gateway on the LAN side of the 5520. What am I missing?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nitinaga Fri, 03/27/2009 - 01:02

Hi Victor,

Are you not able to initiate the tunnel fom the ASA 5520 or is that when the tunnel is established you are not able to reach the lan side of ASA 5505.



vpoon87 Fri, 03/27/2009 - 07:46

Hi Nitin,

Thanks for the reply.

The ASA5505 is set to Easy VPN mode so it always initiates the connection. The 5520 does not initiate the connection.

Best regards


a.alekseev Fri, 03/27/2009 - 05:51

I could suppose that in the configurations you have something like

nat(inside) 0 a.a.a.0

you should replace it with

nat(inside) 0 access-list NO-NAT-INSIDE

access-list NO-NAT-INSIDE permit ip a.a.a.0 b.b.b.b

vpoon87 Fri, 03/27/2009 - 10:20

Thanks for the reply.

I have

nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip object-group Internal_Networks

Object group Internal_Networks has the subnet of the LAN side of the ASA5505.

Attached are the configurations.


vpoon87 Wed, 04/01/2009 - 15:58

Problem was solved. On the remote ASA 5505 I needed the command 'vpnclient nem-st-autoconnect'




This Discussion