Site to Site VPN Established, but not passing traffic properly
We have a cisco ASA5505 with site-to-site VPN to a Cisco SA520. The VPN is up and I can confirm that on both devices. I have a FTP server behind the ASA and a web server behind the SA520. Here is the network setup:
FTP server (10.0.6.100/24) ---> (10.0.6.254) ASA (172.16.16.2) <----> (172.16.10.2) SA520 (10.0.1.254/24) <---- web server (10.0.1.100/24)
I can browse to the FTP server from the WEB server and download a file just fine, however when im on the FTP server I cannot access anything on the WEB server. I believe the issue is on the ASA so I will post the relavent configuration:
nhla-asa# show ver
Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders System image file is "disk0:/asa821-k8.bin" Config file at boot was "startup-config"
threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy NHLA internal group-policy NHLA attributes wins-server value 10.0.6.1 dns-server value 10.0.6.1 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value NHLA_VPN default-domain value nhla.local tunnel-group NHLA_Remote_Clients type remote-access tunnel-group NHLA_Remote_Clients general-attributes address-pool VPN_Pool authentication-server-group NHLA default-group-policy NHLA tunnel-group NHLA_Remote_Clients ipsec-attributes pre-shared-key * tunnel-group 172.16.13.2 type ipsec-l2l tunnel-group 172.16.13.2 ipsec-attributes pre-shared-key * tunnel-group 172.16.10.2 type ipsec-l2l tunnel-group 172.16.10.2 ipsec-attributes pre-shared-key * tunnel-group 172.16.12.2 type ipsec-l2l tunnel-group 172.16.12.2 ipsec-attributes pre-shared-key * tunnel-group 172.16.15.2 type ipsec-l2l tunnel-group 172.16.15.2 ipsec-attributes pre-shared-key * tunnel-group 172.16.11.2 type ipsec-l2l tunnel-group 172.16.11.2 ipsec-attributes pre-shared-key * tunnel-group 172.16.14.2 type ipsec-l2l tunnel-group 172.16.14.2 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:5341dbf059dbada608646ae3aa5f2a8b : end nhla-asa#
When I issue a ping from my web server to my FTP server, it goes through just fine and you can see the "pkts encaps" & "pkts decaps" counters increment. When I issue a ping from my FTP server to my Web server, i get request time out, and no counters increment. I've done a crypto isakmp, ipsec, and engine debug with 255 for verbosity and i recieve no messages when i ping from FTP to web. I've even configured the ASA to do a packet capture and it does not pick up any packets when i ping from FTP to WEB.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...