PFsense 2.2.4 & Cisco ASA5505 IPSec - one way connection only
I've just setup an IPSec Site-to-Site VPN using PFSense 2.2.4 and ASA5505 and was able to establish VPN connection.
Site A :
Cisco ASA 5505 IP: 192.168.1.2
LAN users Default Gateway: 192.168.1.2
PFSense IP: 172.16.9.5
LAN users Default Gateway: 172.16.9.3
172.16.9.3 is our Cisco Managed Switch which handle Inter-VLAN connection.
All users on Site B can access the LAN of Site A, but Site A cannot access the LAN of Site B.
I did some routing on PFSense & ASA5505 but still Site A cannot access Site B. Any advise please?
Can you ping pfSense box from site A?
Do you already have a route like this
ROUTE ADD 192.168.1.0 MASK 255.255.225.0 172.16.9.5
on all site B clients or on site B default gateway?
Do you have an "allow" rule on the pfSense IPsec page (in Firewall / Rules)?
No, I can't ping pfSense from Site A.
Yes I tried adding route on some PC on Site B clients and even the Cisco Route but still no luck.
Allow Rule on PFSense IPsec is also wide open.
On my cisco box, I'm receiving the message below:
3 Oct 27 2015 11:34:41 305005 172.16.9.39 No translation group found for icmp src LAN:192.168.1.100 dst LAN:172.16.9.39 (type 8, code 0)
Sorry, I'm no good with Cisco configuration.
The "No translation group found" from the ASA probably indicates you're missing a NAT exclusion for the VPN networks on the ASA.
Sorry as I'm totally not good in Cisco commands. How do I translate that into Cisco ASA config? Can you show me the command?
If you don't know what he said you should probably ask a cisco forum.
In a nutshell you have to exclude your VPN networks from NAT or they get natted and break your VPN.
192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.2.0/24
If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:
object network obj-local
subnet 192.168.1.0 255.255.255.0
object network obj-remote
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote
Basically says "Don't NAT these networks." Or, more precisely, NAT these networks but NAT them to themselves. Totally convoluted, but that's the way it is.
I already added a NAT Exempt on my ASA5505, but still Site A cannot access Site B network. Still cannot PING Site B PFSense box. Any suggestion please?
![ASA5505 NAT.JPG](/public/imported_attachments/1/ASA5505 NAT.JPG)
![ASA5505 NAT.JPG_thumb](/public/imported_attachments/1/ASA5505 NAT.JPG_thumb)
I'm used to have Bytes-In Zero, Bytes-Out OK problem.
After enable Maximum MSS in IPsec > Advanced Setting and give the value 1250 solved my problem.
Not sure whether the same setting can apply to your case.