cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1156
Views
0
Helpful
2
Replies

site-to-site between ASA 5505s: one subnet can't send traffic across VPN

jeffrsonk
Beginner
Beginner

Hello again! In case you saw my last post, I was successful in sorting out the isakmp problem with my site-to-site tunnel a couple of weeks ago.

Everything is running fine now, except for one odd thing. First, some topology:

Our main campus is Plant 1 (192.168.32.0/20), Plant 2 (192.168.16.0/20), and MOS (192.168.0.0/20). The ASA "KSIASA01" is at the main campus.

On the other side of the tunnel, on a ~400kbps SDSL circuit, is Plant 3 (192.168.48.0/20), and the ASA "KSIASA03".

Now, from our main campus, I can ping addresses in Plant 3 just fine if I start from the subnets 192.168.11.0/24, 192.168.18.0/24, 192.168.25.0/24, 192.168.42.0/24. However, several other subnets fail when I ping from the main campus. The one I am most concerned with is 192.168.38.0/24.

Here's the twist: if I ping from Plant 3, I can ping everything in the main campus just fine. Also, after I ping the 192.168.38.0/24 subnet from Plant 3, I can then ping back from 192.168.38.0/24 to Plant 3 without problems. But after an hour or so, we can't anymore.

On KSIASA01, if I run the Packet Tracer, the failing pings reach "VPN Lookup," and then fail with "(acl-drop) Flow is denied by configured rule."

My research so far tells me that it may be a NAT problem, but I can't figure it out. I will attach sanitized configs for the two ASAs. Thanks in advance for your advice and assistance.

1 Accepted Solution

Accepted Solutions

Vasilii Mikhailovskii
Rising star
Rising star

Hello, Jefferson.

NAT looks fine (on a first glance).

The only issue I found is inconsistency in encryption ACLs:

object-group network Plant1-Plant2-MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Plant1 255.255.240.0

access-list outside_2_cryptomap extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0

vs.

object-group network Plant1Plant2MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Subnet38 255.255.255.0

network-object Subnet42 255.255.255.0

access-list outside_1_cryptomap extended permit ip Plant3 255.255.240.0 object-group Plant1Plant2MOS

View solution in original post

2 Replies 2

Vasilii Mikhailovskii
Rising star
Rising star

Hello, Jefferson.

NAT looks fine (on a first glance).

The only issue I found is inconsistency in encryption ACLs:

object-group network Plant1-Plant2-MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Plant1 255.255.240.0

access-list outside_2_cryptomap extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0

vs.

object-group network Plant1Plant2MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Subnet38 255.255.255.0

network-object Subnet42 255.255.255.0

access-list outside_1_cryptomap extended permit ip Plant3 255.255.240.0 object-group Plant1Plant2MOS

Gah!! How stupid of me. I had fixed that error once already during initial tunnel troubleshooting. I must have not written that change to memory, or something. All is well now. Thank you very much!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers