cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
676
Views
0
Helpful
6
Replies

ASA5505 Easy VPN NEM only works one way

vpoon87
Level 1
Level 1

Hi all,

I've got a one person office using an ASA5505 in NEM. This ASA5505 connects to an ASA5520 at the office. My understanding is that I should be able to connect to any device on the LAN side of the ASA5505 from the LAN side of the ASA5520. I am not able to initiate a connection to any devices from the LAN side of the ASA5520 to the LAN side of the ASA5505. The LAN side of the ASA5505 is able to connect to devices on the LAN side of the 5520. However, if I have a PC on the LAN side of the ASA5505 ping my computer (on the LAN side of the ASA5520), I am able to connect. Essentially, the tunnel only seems to work one way. The logs on the ASA5520 show that it accepts pings on the LAN side but the ASA5505 doesn't receive the ping requests at all. I do have a route to the subnet of the LAN side of the ASA5505 on the default gateway on the LAN side of the 5520. What am I missing?

Thanks

Victor

6 Replies 6

nitinaga
Level 1
Level 1

Hi Victor,

Are you not able to initiate the tunnel fom the ASA 5520 or is that when the tunnel is established you are not able to reach the lan side of ASA 5505.

Regards,

Nitin

Hi Nitin,

Thanks for the reply.

The ASA5505 is set to Easy VPN mode so it always initiates the connection. The 5520 does not initiate the connection.

Best regards

Victor

a.alekseev
Level 7
Level 7

show the configurations

a.alekseev
Level 7
Level 7

I could suppose that in the configurations you have something like

nat(inside) 0 a.a.a.0 255.255.255.0

you should replace it with

nat(inside) 0 access-list NO-NAT-INSIDE

access-list NO-NAT-INSIDE permit ip a.a.a.0 255.255.255.0 b.b.b.b 255.255.255.0

Thanks for the reply.

I have

nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip 192.168.230.0 255.255.255.0 object-group Internal_Networks

Object group Internal_Networks has the subnet of the LAN side of the ASA5505.

Attached are the configurations.

Thanks!

Problem was solved. On the remote ASA 5505 I needed the command 'vpnclient nem-st-autoconnect'

Thanks!

Victor

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: