02-07-2014 01:31 PM
Hello again! In case you saw my last post, I was successful in sorting out the isakmp problem with my site-to-site tunnel a couple of weeks ago.
Everything is running fine now, except for one odd thing. First, some topology:
Our main campus is Plant 1 (192.168.32.0/20), Plant 2 (192.168.16.0/20), and MOS (192.168.0.0/20). The ASA "KSIASA01" is at the main campus.
On the other side of the tunnel, on a ~400kbps SDSL circuit, is Plant 3 (192.168.48.0/20), and the ASA "KSIASA03".
Now, from our main campus, I can ping addresses in Plant 3 just fine if I start from the subnets 192.168.11.0/24, 192.168.18.0/24, 192.168.25.0/24, 192.168.42.0/24. However, several other subnets fail when I ping from the main campus. The one I am most concerned with is 192.168.38.0/24.
Here's the twist: if I ping from Plant 3, I can ping everything in the main campus just fine. Also, after I ping the 192.168.38.0/24 subnet from Plant 3, I can then ping back from 192.168.38.0/24 to Plant 3 without problems. But after an hour or so, we can't anymore.
On KSIASA01, if I run the Packet Tracer, the failing pings reach "VPN Lookup," and then fail with "(acl-drop) Flow is denied by configured rule."
My research so far tells me that it may be a NAT problem, but I can't figure it out. I will attach sanitized configs for the two ASAs. Thanks in advance for your advice and assistance.
Solved! Go to Solution.
02-10-2014 11:48 AM
Hello, Jefferson.
NAT looks fine (on a first glance).
The only issue I found is inconsistency in encryption ACLs:
object-group network Plant1-Plant2-MOS
network-object MOS 255.255.240.0
network-object Plant2 255.255.240.0
network-object Plant1 255.255.240.0
access-list outside_2_cryptomap extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0
vs.
object-group network Plant1Plant2MOS
network-object MOS 255.255.240.0
network-object Plant2 255.255.240.0
network-object Subnet38 255.255.255.0
network-object Subnet42 255.255.255.0
access-list outside_1_cryptomap extended permit ip Plant3 255.255.240.0 object-group Plant1Plant2MOS
02-10-2014 11:48 AM
Hello, Jefferson.
NAT looks fine (on a first glance).
The only issue I found is inconsistency in encryption ACLs:
object-group network Plant1-Plant2-MOS
network-object MOS 255.255.240.0
network-object Plant2 255.255.240.0
network-object Plant1 255.255.240.0
access-list outside_2_cryptomap extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0
vs.
object-group network Plant1Plant2MOS
network-object MOS 255.255.240.0
network-object Plant2 255.255.240.0
network-object Subnet38 255.255.255.0
network-object Subnet42 255.255.255.0
access-list outside_1_cryptomap extended permit ip Plant3 255.255.240.0 object-group Plant1Plant2MOS
02-10-2014 02:56 PM
Gah!! How stupid of me. I had fixed that error once already during initial tunnel troubleshooting. I must have not written that change to memory, or something. All is well now. Thank you very much!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide