Site to Site ASA VPN, 1 subnet only working 1 way

Unanswered Question
Nov 24th, 2011
User Badges:


I have a 5505 connected to 5510 via a site to site VPN, the vpn has 5 subnets on the acl list at both ends, but 2 of the subnets are assigned for remote access on the main 5510, which means the flow of traffic on these 2 subnets are main to remote, but the VPN only works if the traffic starts from remote to main.

both sides are set to bidirectional and I'm not sure if this is the case for all 5 subnets has remote site always sends data to the other 3 subnets first.

Any ideas?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ktwaddell Thu, 11/24/2011 - 08:56
User Badges:


Yes it is, the subnets are apart of the same nat acl at both ends.

At home now, so would have to post the config tomorrow morning if no one knows what it is by then.

Just to confirm the VPN comes up fine, but traffic only flows both ways once the remote end starts it off.



mopaul Fri, 11/25/2011 - 04:25
User Badges:
  • Bronze, 100 points or more

seems like you have overlapping subnets on main site (ASA5510) which might have more than one tunnels terminating on it, will review the config from ASA5505 and ASA 5510 once u post them

ktwaddell Fri, 11/25/2011 - 04:53
User Badges:

how do I attached the config, I have button for url, image and video., but no file/document icon

mopaul Fri, 11/25/2011 - 05:29
User Badges:
  • Bronze, 100 points or more

yeah, even i don't see it here... pardon me, i am back on forums after more than a year and yet to familiar with this make over.

see if you can paste the configuration here... i am looking for IP/interfaces , VPN, and NAT... rest other configurations can be removed...

ktwaddell Wed, 12/07/2011 - 23:41
User Badges:


Sorry I was waiting for a change window to remove over lapping subnets I had on the VPN, however this hasn't sorted it.

well i found out how to attach a text file, just edit the post and it lets you do it!!!


VPN is up, but can't access the remote site subnet until the remote makes a connection 1st.

main site config



mudjain Fri, 11/25/2011 - 10:18
User Badges:

Please check if the remote site is behind a NATing device, if so, is there a portforwarding for UDP 500 and 4500 configured or not, if not please do that and life should be good.

static 1 to 1 nat with public peering IP is obviously good.

make sure Nat-traversal is enabled on either end.

Please post output of show crypto IPSEC sa when the tunnel is established from the site where you cannot establish tunnel from and show vpn-sessiondb detail L2L filter ip .

Also please mention if there is another firewall in between tunnel initiable site and ISP.


This Discussion

Related Content