Default firewall policy blocking stuff

Honest Bob

Hey guys I'm having an issue with PFSense blocking traffic on a site to site ipsec tunnel.

There is a Cisco ASA 5512x (172.21.36.0/255.255.254.0) on one end and a PFSense box (192.168.25.1/255.255.255.192) at the remote site.

I have AD domain controllers on both sides of the tunnel that are trying to replicate but are getting rpc errors.

I can ping and dns is working perfectly from both sides however I can see in the firewall logs that pfsense is blocking the domain controller on the remote site (192.168.25.5) from contacting the domain controller at the main site (172.21.37.29).

I setup a gateway, static route, and ipsec rule but I'm missing something.

Help!
![firewall blocking.jpg](/public/imported_attachments/1/firewall blocking.jpg)
![firewall blocking.jpg_thumb](/public/imported_attachments/1/firewall blocking.jpg_thumb)

gateway.jpg_thumb

nat.jpg_thumb

nat2.jpg_thumb

rule.jpg_thumb
![static route.jpg](/public/imported_attachments/1/static route.jpg)
![static route.jpg_thumb](/public/imported_attachments/1/static route.jpg_thumb)

Honest Bob

I'm guessing this should probably be moved to the firewalling section as its not an ipsec issue per say.

![firewall blocking.jpg](/public/imported_attachments/1/firewall blocking.jpg)
![firewall blocking.jpg_thumb](/public/imported_attachments/1/firewall blocking.jpg_thumb)

viragomann

The blocks shown in the log are out of state and are blocked by the default deny rule.
Maybe it's a kind of asymmetric routing. Here is some help for this: https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

The static route and the gateway should not be needed in an IPSec setup. The routing options are set in the IPSec phase 2 settings.

The IPSec gateway is a pure nonsense anyway. A gateway on LAN interface with the LAN address? ::)