PFsense 2.2.4 & Cisco ASA5505 IPSec - one way connection only

  • Dear All,
    I've just setup an IPSec Site-to-Site VPN using PFSense 2.2.4 and ASA5505 and was able to establish VPN connection.

    Site A :
    Cisco ASA 5505 IP:
    LAN users Default Gateway:

    Site B:
    PFSense IP:

    LAN users Default Gateway: is our Cisco Managed Switch which handle Inter-VLAN connection.

    All users on Site B can access the LAN of Site A, but Site A cannot access the LAN of Site B.

    I did some routing on PFSense & ASA5505 but still Site A cannot access Site B. Any advise please?


  • Can you ping pfSense box from site A?

    Do you already have a route like this
    on all site B clients or on site B default gateway?

    Do you have an "allow" rule on the pfSense IPsec page (in Firewall / Rules)?


  • No, I can't ping pfSense from Site A.

    Yes I tried adding route on some PC on Site B clients and even the Cisco Route but still no luck.

    Allow Rule on PFSense IPsec is also wide open.

    On my cisco box, I'm receiving the message below:
    3 Oct 27 2015 11:34:41 305005 No translation group found for icmp src LAN: dst LAN: (type 8, code 0)

    Sorry, I'm no good with Cisco configuration.


  • The "No translation group found" from the ASA probably indicates you're missing a NAT exclusion for the VPN networks on the ASA.

  • Sorry as I'm totally not good in Cisco commands. How do I translate that into Cisco ASA config? Can you show me the command?


  • LAYER 8 Netgate

    If you don't know what he said you should probably ask a cisco forum.

    In a nutshell you have to exclude your VPN networks from NAT or they get natted and break your VPN.

    L2L Example


    192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside

    If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:

    object network obj-local


    object network obj-remote


    nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

    Basically says "Don't NAT these networks." Or, more precisely, NAT these networks but NAT them to themselves. Totally convoluted, but that's the way it is.

  • Hi,
    I already added a NAT Exempt on my ASA5505, but still Site A cannot access Site B network. Still cannot PING Site B PFSense box. Any suggestion please?


    ![ASA5505 NAT.JPG](/public/imported_attachments/1/ASA5505 NAT.JPG)
    ![ASA5505 NAT.JPG_thumb](/public/imported_attachments/1/ASA5505 NAT.JPG_thumb)

  • I'm used to have Bytes-In Zero, Bytes-Out OK problem.
    After enable Maximum MSS in IPsec > Advanced Setting and give the value 1250 solved my problem.
    Not sure whether the same setting can apply to your case.

Log in to reply