I have a ASA5510 at a main site who make the Internet access for remote site VPN (no split tunneling) and everything work fine. Now, I need to send all the VPN traffic to a L3 switch connected on the inside interface of the ASA (for NAC purpose) and this switch have the ASA as the default route. When on a remote site, I do a ping on the Internet, I see the echo that go through the VPN, then the L3 switch, go back to the ASA and then on the Internet (wanted behavior). The problem is with the echo-reply: It seem to die on the ASA and never reach the PC that initiate the ping.
Is it the statefull inspection of the ASA that kill the echo-reply? Is there a way to avoid this behavior? With a tunneled default route on the ASA, is the echo-reply supposed to be send back to the tunneled default route (in this case, the L3 switch) or he is supposed to route the echo-reply directly to the remote site via the VPN?
To check if this a problem with ASA config do a ping from the remote end on vpn and see if you are able to get it. If you get it the ASA config is proper and the reason you are not getting the ping response when a ping is initaited from your end is because the echo reply is not being sent to the vpn tunnel and hence it is getting dropped by the ASA.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :