Cisco 5512 to 5505 IPSec VPN tunnel working only one way

I have a very odd situation occurring.  I have for YEARS created dozens of IPSec VPN tunnels between my locations.  But this one location that I have has me stumped.  

The IPSec VPN tunnel between my corporate LAN and this remote location is only allowing traffic from the Corporate LAN to the remote location (named BE102).  The tunnel comes up and I can ping ALL of the addresses at the remote location from my Corporate LAN, and even RDP to the file server there.  However, NONE of the remote BE102 workstations or the file server can ping back TO my Corporate LAN.

I have the BE102 location set up in my Cisco 5512 IDENTICALLY to the way I have my Director or IT's home LAN and his LAN connection works perfectly both ways.

So, my question is...what am I missing here?  Again, I have done this for literally years, and have never run into this before.   So I am sure I just am not seeing the problem in my configuration.  So I need another pair of eyes to look at this for me.

Thank you for any help in advance.

Below is the configuration from the 5512

---------------------
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0

object network GK-DIR-IT
 subnet 192.168.200.0 255.255.255.0
 description Director of IT IPSec

object network Location-BE102
 subnet 10.5.9.0 255.255.255.0
 description BE102:4000 McColm Ct location

object-group network DM_INLINE_NETWORK_9
 network-object object GK-DIR-IT
 network-object object Location-BE102

access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 object GK-DIR-IT
access-list VPN_BE102 extended permit ip 192.168.1.0 255.255.255.0 object Location-BE102

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Location-BE102 Location-BE102


crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 172.135.50.146
crypto map outside_map 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1009 match address VPN_BE102
crypto map outside_map 1009 set peer 68.66.160.94
crypto map outside_map 1009 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map interface outside

tunnel-group 172.135.50.146 type ipsec-l2l
tunnel-group 172.135.50.146 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 68.66.160.94 type ipsec-l2l
tunnel-group 68.66.160.94 ipsec-attributes
 ikev1 pre-shared-key *****
------------------------------

And here is the configuration from the 5505

object network GK_AD100_Corporate
 subnet 192.168.1.0 255.255.255.0
 description Corporate location AD100 LAN Network
object network GK_BE102
 subnet 10.5.9.0 255.255.255.0
 description LAN networks for GK Location BE102

object-group network VPN_Networks
 network-object object GK_AD100_Corporate
access-list GK_Corp extended permit ip object GK_BE102 object GK_AD100_Corporate
access-list OUTSIDE extended permit ip object GK_BE102 object GK_AD100_Corporate

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static GK_BE102 GK_BE102 destination static GK_AD100_Corporate GK_AD100_Corporate

access-group OUTSIDE in interface outside

crypto map gk-vpn-map 100 match address GK_Corp
crypto map gk-vpn-map 100 set peer 76.61.239.154
crypto map gk-vpn-map 100 set ikev1 transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map gk-vpn-map interface outside
crypto ikev1 enable outside

tunnel-group 76.61.239.154 type ipsec-l2l
tunnel-group 76.61.239.154 ipsec-attributes
 ikev1 pre-shared-key *****

-------------------
jgrammer42Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sk391Commented:
Hi,

couple of thinks i see here,

in your access list, is better if you use IP in the both ends or object group in the both ends.

your crypto map ikev1 only need one entry not all those that use to cause issues.
i recommend use ESP-AES-256-SHA in both ends

also you can post the ikev1 policys that you have in both devices.
0
jgrammer42Author Commented:
sk391,
my apologies for not seeing your response sooner.  I will try this and reply back a little later.

yeah, I inherited that list of IKEV1 policies which I too thought was odd.  It seemed like someone just loved that GUI Cisco interface, instead of using the CLI and actually coding it.
0
jgrammer42Author Commented:
Problem solved.

I needed to REMOVE the following line:
nat (inside,outside) source dynamic any interface

Once I removed that NAT statement, everything worked like a champ.

Thank you for all of the help,
Jeff
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jgrammer42Author Commented:
Self determined the problem
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.