These are the two ACLs of two site to site vpns. The first vpn is working fine but the second vpn is working one way. Local subnet y.y.y.y cannot send traffic to the remote site. Can it be a problem because of the first vpn subnet is overlapping with the second one?
1st site to site vpn works fine
Local subnet : x.x.x.x Remote subnet : 192.168.0.0/16
2nd site to site vpn - one way
Local subnet : y.y.y.y Remote subnet : 192.168.1.0/24
If you look at the output of the following command
show run crypto map
And if you see that the L2L VPN connection with the network 192.168.0.0/16 is with a smaller sequence/order/priority number in the Crypto Map then all the traffic destined to that large network will match this L2L VPN and not the other VPN with the more specific network.
You could try adding this line to the L2L VPN with the large network
access-list line 1 deny ip 192.168.1.0 255.255.255.0
And see if that enables you to use the second new L2L VPN without changing the subnets/networks in the L2L VPN configurations.
You need to run the packet tracer twice in a row. the first packet tracer will drop as the tunnel might not yet be. So the first packet tracer brings up the tunnel and then the second packet tracer will show the correct trace. I would also suggest using an IP that is not the firewall interface as this can sometimes (depending on the configuration) show as a drop.
Have you ensured that the ACL that defines interesting traffic at the remote end is correctly configured?
And although this is probably not the issue, check to make sure that the test PC has an IP in the correct range.
-- Please remember to rate and select a correct answer
Please remember to rate and select a correct answer
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...