Site-Site VPNs on an ASA5510, trying to ping between the Local Hosts. One VPN the PING gets reply, the other it doesn't.
Where it works the Log Viewer shows me traffic btween LocalHost/512 and LocalHost/0 - using port 512? Where it does not work I see traffic between LocalHost/1 and LocalHost/0 - using port 1? I think some unwanted translation, or something, is leading the traffic astray, and these port(?) differnences are pointing to it. Any ideas? thanks.
I have one addition to the problem statement. On the working VPN I get an inbound connection from the remote end's Local Host to my end's Local Host, as well as outbound connection the other way. The non-working VPN I get the outbound connection from my end to the far end, but never the inbound connection from the far end to the near end.
I don't control the far end local host. An institution supports many client vpn's at that end, their support says it's ready for me to PING. I ping my local host (locally, of course, not from the tunnel) successfully, I've disabled its firewall long enough to test the VPN. What my ASA5510 firewall log says I'm missing is a "Built Inbound ICMP connection for foreign\0 \ global/1 \ local/1". I get the "Built outbound ICMP connection for foreign/0 \ global/1 \ local\1", and the "Teardown ICMP connection for foreign/0 \ global/1 \ local/1"
On my other VPN, where PING works, I the global and local addresses are always showing global/512 and local/512 instead of global/1 and local/1.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...