I have a VPN between my ASA (running 7.2(19))and a (3rd party managed) cisco router running a secure IOS version 12.4, and seem to have encountered a weird issue.
LAN A behind the router can ping/ RDP/ whatever across to LAN B behind the ASA, but LAN B can't initiate a connection to LAN A. I have set a capture on the inside interface of the ASA and can see the attempts to connect to the remote server but nothing coming back.
Set up is:
LAN A ----- Router A -----internet------ ASA B ------ LAN B
My VPN config is:
access-list vpn extended permit ip 10.0.0.0 255.0.0.0 10.0.3.176 255.255.255.240
access-list vpn extended permit icmp 10.0.0.0 255.0.0.0 10.0.3.176 255.255.255.240
crypto map mymap 8 match address vpn
crypto map mymap 8 set pfs
crypto map mymap 8 set peer 87.x.x.x
crypto map mymap 8 set transform-set AES-SHA
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto isakmp policy 32
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 87.x.x.x type ipsec-l2l
tunnel-group 87.x.x.x ipsec-attributes
pre-shared-key *
Though I don't manage the router, they have sent me the config and I can't see anything unusual with it, as the tunnel is up and passes traffic successfully one way, I don't think it's a problem there.
Any thoughts from anyone on this? Have I missed something obvious?
LAN A behind the router can ping/ RDP/ whatever across to LAN B behind the ASA, but LAN B can't initiate a connection to LAN A. I have set a capture on the inside interface of the ASA and can see the attempts to connect to the remote server but nothing coming back.
Set up is:
LAN A ----- Router A -----internet------ ASA B ------ LAN B
My VPN config is:
access-list vpn extended permit ip 10.0.0.0 255.0.0.0 10.0.3.176 255.255.255.240
access-list vpn extended permit icmp 10.0.0.0 255.0.0.0 10.0.3.176 255.255.255.240
crypto map mymap 8 match address vpn
crypto map mymap 8 set pfs
crypto map mymap 8 set peer 87.x.x.x
crypto map mymap 8 set transform-set AES-SHA
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto isakmp policy 32
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 87.x.x.x type ipsec-l2l
tunnel-group 87.x.x.x ipsec-attributes
pre-shared-key *
Though I don't manage the router, they have sent me the config and I can't see anything unusual with it, as the tunnel is up and passes traffic successfully one way, I don't think it's a problem there.
Any thoughts from anyone on this? Have I missed something obvious?
