PFsense 2.2.4 & Cisco ASA5505 IPSec - one way connection only

mrito

Dear All,
I've just setup an IPSec Site-to-Site VPN using PFSense 2.2.4 and ASA5505 and was able to establish VPN connection.

Site A :
Subnet: 192.168.1.0/24
Cisco ASA 5505 IP: 192.168.1.2
LAN users Default Gateway: 192.168.1.2

Site B:
Subnet: 172.16.0.0/16
PFSense IP: 172.16.9.5

LAN users Default Gateway: 172.16.9.3
172.16.9.3 is our Cisco Managed Switch which handle Inter-VLAN connection.

All users on Site B can access the LAN of Site A, but Site A cannot access the LAN of Site B.

I did some routing on PFSense & ASA5505 but still Site A cannot access Site B. Any advise please?

Regards,
Malvin

corradolab

Can you ping pfSense box from site A?

Do you already have a route like this
ROUTE ADD 192.168.1.0 MASK 255.255.225.0 172.16.9.5
on all site B clients or on site B default gateway?

Do you have an "allow" rule on the pfSense IPsec page (in Firewall / Rules)?

Regards,
Corrado

mrito

No, I can't ping pfSense from Site A.

Yes I tried adding route on some PC on Site B clients and even the Cisco Route but still no luck.

Allow Rule on PFSense IPsec is also wide open.

On my cisco box, I'm receiving the message below:
3 Oct 27 2015 11:34:41 305005 172.16.9.39 No translation group found for icmp src LAN:192.168.1.100 dst LAN:172.16.9.39 (type 8, code 0)

Sorry, I'm no good with Cisco configuration.

Regards,
Malvin

cmb

The "No translation group found" from the ASA probably indicates you're missing a NAT exclusion for the VPN networks on the ASA.

mrito

Sorry as I'm totally not good in Cisco commands. How do I translate that into Cisco ASA config? Can you show me the command?

Thanks,
Malvin

Derelict

If you don't know what he said you should probably ask a cisco forum.

In a nutshell you have to exclude your VPN networks from NAT or they get natted and break your VPN.

L2L Example

Topology:

192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.2.0/24

If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:

object network obj-local

subnet 192.168.1.0 255.255.255.0

object network obj-remote

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

https://supportforums.cisco.com/document/44566/asa-83-nat-exemption-example-basic-l2l-vpn-and-basic-ra-vpn

Basically says "Don't NAT these networks." Or, more precisely, NAT these networks but NAT them to themselves. Totally convoluted, but that's the way it is.

mrito

Hi,
I already added a NAT Exempt on my ASA5505, but still Site A cannot access Site B network. Still cannot PING Site B PFSense box. Any suggestion please?

Regards,
Malvin

![ASA5505 NAT.JPG](/public/imported_attachments/1/ASA5505 NAT.JPG)
![ASA5505 NAT.JPG_thumb](/public/imported_attachments/1/ASA5505 NAT.JPG_thumb)

jeffvfren

I'm used to have Bytes-In Zero, Bytes-Out OK problem.
After enable Maximum MSS in IPsec > Advanced Setting and give the value 1250 solved my problem.
Not sure whether the same setting can apply to your case.