I have setup a site to site VPN connection between two Cisco ASA 5510. One site (let's call it A) can see the private network of the other site (site B), but site B cannot see the private network of the site A.
The access lists and routes of both ASAs are the same.
On ASA A, by issuing the command: show run crypto map, I get the following result:
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer IP_of_Outside_Interface_of_B
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set ikev2 pre-shared-key ********
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
and by issuing the same command on ASA B, I get:
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer IP_of_Outside_Interface_of_A
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 1 set ikev2 pre-shared-key ********
crypto map Outside_map 1 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
Also by issuing the show crypto isakmp on ASA A, I get:
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
74335965 public_IP_of_ASA_A/500 public_IP_of_ASA_B/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/9974 sec
Child sa: local selector 172.16.0.0/0 - 172.16.255.255/65535
remote selector 10.0.20.0/0 - 10.0.20.255/65535
ESP spi in/out: 0xab18ad65/0x4ff34128
and on ASA B:
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
83370867 public_IP_of_ASA_B/500 public_IP_of_ASA_A/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/9499 sec
Child sa: local selector 10.0.20.0/0 - 10.0.20.255/65535
remote selector 172.16.0.0/0 - 172.16.255.255/65535
ESP spi in/out: 0x4ff34128/0xab18ad65
According to the info above, I can access from private network (172.16.0.0/24) of ASA A (role Responder) to private network (10.0.20.0/24) of ASA B (role initiator), but not vice versa.
sysopt connection permit-vpn is also enabled on both ASAs.
Any ideas how this can happen?
Best Answer
sometimes simple reasons block your eyes like in this case, in which I was looking for crypto map, crypto isakmp, access lists etc. and the reason was that the ESXi server, that I was trying to access it from the other site, did not have a proper gateway!!! Actually all the hosts on that ESXi server had a proper gateway, but the hypervisor itself did not... I fixed it and it worked like a charm...
thanks for all your comments and thoughts.