PFsense 2.2.4 & Cisco ASA5505 IPSec - one way connection only



  • Dear All,
    I've just setup an IPSec Site-to-Site VPN using PFSense 2.2.4 and ASA5505 and was able to establish VPN connection.

    Site A :
    Subnet: 192.168.1.0/24
    Cisco ASA 5505 IP: 192.168.1.2
    LAN users Default Gateway: 192.168.1.2

    Site B:
    Subnet: 172.16.0.0/16
    PFSense IP: 172.16.9.5

    LAN users Default Gateway: 172.16.9.3
    172.16.9.3 is our Cisco Managed Switch which handle Inter-VLAN connection.

    All users on Site B can access the LAN of Site A, but Site A cannot access the LAN of Site B.

    I did some routing on PFSense & ASA5505 but still Site A cannot access Site B. Any advise please?

    Regards,
    Malvin



  • Can you ping pfSense box from site A?

    Do you already have a route like this
    ROUTE ADD 192.168.1.0 MASK 255.255.225.0 172.16.9.5
    on all site B clients or on site B default gateway?

    Do you have an "allow" rule on the pfSense IPsec page (in Firewall / Rules)?

    Regards,
      Corrado



  • No, I can't ping pfSense from Site A.

    Yes I tried adding route on some PC on Site B clients and even the Cisco Route but still no luck.

    Allow Rule on PFSense IPsec is also wide open.

    On my cisco box, I'm receiving the message below:
    3 Oct 27 2015 11:34:41 305005 172.16.9.39 No translation group found for icmp src LAN:192.168.1.100 dst LAN:172.16.9.39 (type 8, code 0)

    Sorry, I'm no good with Cisco configuration.

    Regards,
    Malvin



  • The "No translation group found" from the ASA probably indicates you're missing a NAT exclusion for the VPN networks on the ASA.



  • Sorry as I'm totally not good in Cisco commands. How do I translate that into Cisco ASA config? Can you show me the command?

    Thanks,
    Malvin


  • LAYER 8 Netgate

    If you don't know what he said you should probably ask a cisco forum.

    In a nutshell you have to exclude your VPN networks from NAT or they get natted and break your VPN.

    L2L Example

    Topology:

    192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.2.0/24

    If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:

    object network obj-local

    subnet 192.168.1.0 255.255.255.0

    object network obj-remote

    subnet 192.168.2.0 255.255.255.0

    nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

    https://supportforums.cisco.com/document/44566/asa-83-nat-exemption-example-basic-l2l-vpn-and-basic-ra-vpn

    Basically says "Don't NAT these networks." Or, more precisely, NAT these networks but NAT them to themselves. Totally convoluted, but that's the way it is.



  • Hi,
    I already added a NAT Exempt on my ASA5505, but still Site A cannot access Site B network. Still cannot PING Site B PFSense box. Any suggestion please?

    Regards,
    Malvin

    ![ASA5505 NAT.JPG](/public/imported_attachments/1/ASA5505 NAT.JPG)
    ![ASA5505 NAT.JPG_thumb](/public/imported_attachments/1/ASA5505 NAT.JPG_thumb)



  • I'm used to have Bytes-In Zero, Bytes-Out OK problem.
    After enable Maximum MSS in IPsec > Advanced Setting and give the value 1250 solved my problem.
    Not sure whether the same setting can apply to your case.


Log in to reply