Pfsense 2.1 and cisco asa5520 one way traffic (SOLVED)



  • Greetings everyone. Long time lurker, firts time poster. I've been using pfsense for many years. I love it! For many years, I've had ipsec vpn tunnels to WatchGuard and Sonicwalls. Very easy ipsec installs and configurations. The tunnels worked great. Traffic going both ways, "in" to my home network, and "out" to my work network. I could vnc either way. One day, I can't remember when nor how, maybe after an upgrade, I lost the ability for traffic to flow from my work to my home. I could no longer vnc, ping, rdp, telnet port 80, nothing from my work into my home network. Traffic the other way around worked flawlessly though. I could still, and can right now continue to do so, get traffic flowing from my home to my work.

    What in the world happened? I have read many docs, faqs, googled, etc… I cannot find a solution to this. I have 2 vpns, for example, that i can only get traffic flowing from my home (pfsense) to my work (Cisco ASA5520 and Sonicwall). I can go from home to work without any problems. I cannot get from work (Cisco ASA5520 and Sonicwall) to home (pfsense), no ping, no vnc, no rdp, no telnet port 80 etc... Could someone please offer suggestions? This hasn't really been an issue because I am more concerned about getting into my job network from home than getting into my home network from my job.

    Unfortunately, I must now find a solution as to why I can only get traffic flowing one way, not both ways. Below is the pfsense ipsec log:

    Sep 19 13:49:06 racoon: [Westside Do]: INFO: IPsec-SA established: ESP 68.183.90.1XX[500]->64.183.74.1XX[500] spi=3040980319(0xb541ad5f)
    Sep 19 13:49:06 racoon: [Westside Do]: INFO: IPsec-SA established: ESP 68.183.90.1XX[500]->64.183.74.1XX[500] spi=248365988(0xecdc3a4)
    Sep 19 13:49:06 racoon: WARNING: attribute has been modified.
    Sep 19 13:49:06 racoon: [Westside Do]: INFO: initiate new phase 2 negotiation: 68.183.90.1XX[500]<=>64.183.74.1XX[500]
    Sep 19 13:49:05 racoon: [Westside Do]: INFO: ISAKMP-SA established 68.183.90.1XX[500]-64.183.74.1XX[500] spi:d67da37eef55e766:56a3d937762447fe
    Sep 19 13:49:05 racoon: WARNING: port 500 expected, but 0
    Sep 19 13:49:05 racoon: INFO: received Vendor ID: DPD
    Sep 19 13:49:05 racoon: INFO: NAT not detected
    Sep 19 13:49:05 racoon: INFO: NAT-D payload #1 verified
    Sep 19 13:49:05 racoon: [Westside Do]: [64.183.74.1XX] INFO: Hashing 64.183.74.1XX[500] with algo #2
    Sep 19 13:49:05 racoon: INFO: NAT-D payload #0 verified
    Sep 19 13:49:05 racoon: [Self]: [68.183.90.1XX] INFO: Hashing 68.183.90.1XX[500] with algo #2
    Sep 19 13:49:05 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Sep 19 13:49:05 racoon: INFO: received Vendor ID: CISCO-UNITY
    Sep 19 13:49:05 racoon: INFO: Adding remote and local NAT-D payloads.
    Sep 19 13:49:05 racoon: [Self]: [68.183.90.1XX] INFO: Hashing 68.183.90.1XX[500] with algo #2
    Sep 19 13:49:05 racoon: [Westside Do]: [64.183.74.1XX] INFO: Hashing 64.183.74.1XX[500] with algo #2
    Sep 19 13:49:05 racoon: [Westside Do]: [64.183.74.1XX] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    Sep 19 13:49:05 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Sep 19 13:49:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Sep 19 13:49:05 racoon: INFO: begin Identity Protection mode.
    Sep 19 13:49:05 racoon: [Westside Do]: INFO: initiate new phase 1 negotiation: 68.183.90.1XX[500]<=>64.183.74.1XX[500]
    Sep 19 13:49:05 racoon: [Westside Do]: INFO: IPsec-SA request for 64.183.74.1XX queued due to no phase1 found.



  • The solution was to move the nat command higher up the nat table using this command on the ASA5520:

    First remove it: no nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

    The add it again: nat (inside,outside) 2 source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup


Log in to reply