Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA5505 Easy VPN NEM only works one way

Hi all,

I've got a one person office using an ASA5505 in NEM. This ASA5505 connects to an ASA5520 at the office. My understanding is that I should be able to connect to any device on the LAN side of the ASA5505 from the LAN side of the ASA5520. I am not able to initiate a connection to any devices from the LAN side of the ASA5520 to the LAN side of the ASA5505. The LAN side of the ASA5505 is able to connect to devices on the LAN side of the 5520. However, if I have a PC on the LAN side of the ASA5505 ping my computer (on the LAN side of the ASA5520), I am able to connect. Essentially, the tunnel only seems to work one way. The logs on the ASA5520 show that it accepts pings on the LAN side but the ASA5505 doesn't receive the ping requests at all. I do have a route to the subnet of the LAN side of the ASA5505 on the default gateway on the LAN side of the 5520. What am I missing?

Thanks

Victor

6 REPLIES
Community Member

Re: ASA5505 Easy VPN NEM only works one way

Hi Victor,

Are you not able to initiate the tunnel fom the ASA 5520 or is that when the tunnel is established you are not able to reach the lan side of ASA 5505.

Regards,

Nitin

Community Member

Re: ASA5505 Easy VPN NEM only works one way

Hi Nitin,

Thanks for the reply.

The ASA5505 is set to Easy VPN mode so it always initiates the connection. The 5520 does not initiate the connection.

Best regards

Victor

Re: ASA5505 Easy VPN NEM only works one way

show the configurations

Re: ASA5505 Easy VPN NEM only works one way

I could suppose that in the configurations you have something like

nat(inside) 0 a.a.a.0 255.255.255.0

you should replace it with

nat(inside) 0 access-list NO-NAT-INSIDE

access-list NO-NAT-INSIDE permit ip a.a.a.0 255.255.255.0 b.b.b.b 255.255.255.0

Community Member

Re: ASA5505 Easy VPN NEM only works one way

Thanks for the reply.

I have

nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip 192.168.230.0 255.255.255.0 object-group Internal_Networks

Object group Internal_Networks has the subnet of the LAN side of the ASA5505.

Attached are the configurations.

Thanks!

Community Member

Re: ASA5505 Easy VPN NEM only works one way

Problem was solved. On the remote ASA 5505 I needed the command 'vpnclient nem-st-autoconnect'

Thanks!

Victor

379
Views
0
Helpful
6
Replies
CreatePlease to create content