Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

can only pass traffic one way through ASA site to site

i have a 5510 connected to a 5505 using site to site vpn and can communicate from the internal network of the 5505 to the internal network on the 5510 but not vice versa (also NOTE ping does not work either way).

3 REPLIES

Hello, I analyzed the

Hello,

 

I analyzed the configuration, and I saw you have, the phase 1 and phase 2 correctly, and NAT 0:

 

The output of the main config of the 2 ASAs:

 

50.192.51.129

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 12.15.83.10 
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_10 object SI-DDS-Airport 

object-group network DM_INLINE_NETWORK_10
 network-object 10.0.2.0 255.255.255.0
 network-object 172.16.0.0 255.255.0.0
 
 object network SI-DDS-Airport
 subnet 10.0.5.0 255.255.255.0
 
 nat (inside,outside) source static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 destination static SI-DDS-Airport SI-DDS-Airport no-proxy-arp route-lookup
 
 
 
 ----------------------------------------------------------------
 12.15.83.10 
 
 crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 50.192.51.129
crypto map outside_map 2 set transform-set ESP-3DES-SHA

access-list outside_cryptomap extended permit ip 10.0.5.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

object-group network DM_INLINE_NETWORK_1
 network-object SI-Server-Network 255.255.255.0
 network-object SI-LAN-Network 255.255.0.0
 
 name 10.0.2.0 SI-Server-Network
name 172.16.0.0 SI-LAN-Network
 
 access-list inside_nat0_outbound_1 extended permit ip 10.0.5.0 255.255.255.0 SI-Server-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.0.5.0 255.255.255.0 SI-LAN-Network 255.255.0.0

 

 

Though I see that on the 5510, you don't have a route to indicate where the  10.0.5.0/24 is:

 

route outside 10.0.5.0 255.255.255.0  50.192.51.142

 

Also on the 5505:

 

I would recommend you to add the routes:

 

route outside 10.0.2.0 255.255.255.0 12.15.83.9

route outside 172.16.0.0 255.255.0.0 12.15.83.9

 

Please attach the following:

 

On the 5505 

Run these packet tracers twice after doing the previous changes:

-  packet-tracer input inside icmp 10.0.5.25 8 0 10.0.2.25 de

-  packet tracer input inside icmp 10.0.5.25 8 0 172.16.0.15 de

 

Then take these outputs:
 

- show crypto isakmp sa

- show crypto ipsec sa

 

 

If the issue persists, run a capture:

Open a server or computer and doing a constant ping to any hosts on the other side:

 

capture CAP interface inside match ip host <IP_10.0.5.X> host <IP_10.0.2.X>

 

Let me know how it works out,

 

Please don't forget to rate and mark as correct the helpful post!

 

David Castro,

 

Regards,

 

New Member

tried all that and from the

tried all that and from the output it would appear everything is working properly.  however i still cannot ping or access anything on the 5505 network from the 5510 network. 

 

thanks for the help

I see, could you please

I see, could you please attach the following from both VpN gateways:

 

- Show crypto ipsec sa peer <Peer_IP_address>

- Show crypto isamkp sa

 

Also, for a quick test, do this (This would not affect your production):

 

access-list inside_access permit ip any any

 

access-group inside_access in interface inside

 

If this works, you will need to create the access group correctly applied on the inside interface, take a look to this DOC(Access groups)

 

On both ASAs, tried sending traffic and also attach the packet tracers, so we can see the phases:

 

On the 5505 

Run these packet tracers twice after doing the previous changes:

-  packet-tracer input inside icmp 10.0.5.25 8 0 10.0.2.25 de

-  packet tracer input inside icmp 10.0.5.25 8 0 172.16.0.15 de

 

Please Don't forget to rate and mark as correct the Helpful post!

 

David Castro,

 

Regards,

600
Views
0
Helpful
3
Replies