Re: Tunnel working in one direction - All IPSec SA proposals fou
The crypto ACL is incorrect.
Assuming that ASA LAN is 192.168.2.0/24 and router LAN is 192.168.1.0/24, the following ACL should be configured:
On the router:
ip access-list extended TUNNEL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
On the ASA:
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
The rest of the other ACL lines that have been configured should be removed. Most importantly, the number of ACL line on the router should match the same on the ASA with mirror image ACL for the subnet.
You also need to remove the following on the ASA as the router is not configured to use PFS:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...