I have a lan2lan tunnel between an ASA 5510 at my HQ office and an ASA 5505 at a remote site. At the HQ site I have 4 subnets behind the ASA:
If I try to access a device at the remote site from the x.x.0.0/24, the tunnel will come up without any problems. If I try it from either of the other two networks, I am unable to establish the tunnel from HQ. However, if I ping a device on the x.x.10.0 /24 or x.x.11.0 /24 network from the remote site, the tunnel will come up and then I have two way communication between the networks without any problems.
I've had TAC verify my configuration. I've checked my crypto ACLs to verify that both networks are interesting traffic. Both networks are part of my nonat access-list on both ends. Tried upgrading the IOS on the ASA, no luck there. I have three other sites with the same configuration and they aren't having any problems.
I've been working on this for a few days and TAC & I are both stumped. I'm nowhere near an expert at ASA configuration so I'd appreciate some help. I think the TAC engineer said it was failing at Phase 2. Any suggestions
isakmp nat-traversal is not a NAT acl. I guess we could offer input but without seeing all the details and or having an understanding of your exact setup it's difficult to offer aspects that may impact the cause of one way traffic.
Apart from NAT-T it's also worth checking PFS if its enabled at both ends. If you wish to consider further input then might I reccomend a review of your sanitised config's to offer a review against. It could be beneficial as highlihted by mvsheik to verify the environment outside of the VPN.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...