Recently i have established VPN connection between our Head Office and Branch Office ASA firewalls. But we are facing some issues as well as one more requirement is pending to do. Please find attached config for your kind reference.
One way Ping Issue: Branch office connectivity to Head Office connectivity(LAN to LAN) is fine. But from Head Office to Branch office LAN connectivity is not happening to particular subnet (172.16.20.X). Because ping from remote subnets at branch office to head office subnets are fine but ping from Head office LAN(172.16.10.X) to branch office LAN (172.16.20.X) is not happening. From HO ASA also its not pinging
New requirement to do
Only Users at remote subnet (172.16.20.X) should use the internet of Head Office. The reason why we try to implement this is because there is no proxy set at Remote office at the moment, so we would like to use the same proxy located in the HO LAN(172.26.10.X) for remote location users as well.
Lets first take a look ar your Encryption Domain. It states that the networks participating on the L2L VPN Connection are
The Branch Site is easy to check as it only has one local interface and all the source networks behind that interface. Your Crypto ACL and the NAT0 ACL match eachother on the Branch Office site so that should be fine. Also you dont have an internal interface ACL configured so all traffic should be allowed.
On the Head Office it seems to me that you have not allowed the traffic to be initiated to the remote site network 172.16.20.0/24
You can test this with "packet-tracer" on the Head Office ASA
packet-tracer input inside tcp
See if it gets blocked by the ACL
Or you could simply allow all traffic from the Head Office local LAN networks to the Branch Office in the ACL
access-list ACL-inside line 1 remark Allow traffic to L2L VPN
access-list ACL-inside line 2 permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...