site-to-site between ASA 5505s: one subnet can't send traffic across VPN
Hello again! In case you saw my last post, I was successful in sorting out the isakmp problem with my site-to-site tunnel a couple of weeks ago.
Everything is running fine now, except for one odd thing. First, some topology:
Our main campus is Plant 1 (192.168.32.0/20), Plant 2 (192.168.16.0/20), and MOS (192.168.0.0/20). The ASA "KSIASA01" is at the main campus.
On the other side of the tunnel, on a ~400kbps SDSL circuit, is Plant 3 (192.168.48.0/20), and the ASA "KSIASA03".
Now, from our main campus, I can ping addresses in Plant 3 just fine if I start from the subnets 192.168.11.0/24, 192.168.18.0/24, 192.168.25.0/24, 192.168.42.0/24. However, several other subnets fail when I ping from the main campus. The one I am most concerned with is 192.168.38.0/24.
Here's the twist: if I ping from Plant 3, I can ping everything in the main campus just fine. Also, after I ping the 192.168.38.0/24 subnet from Plant 3, I can then ping back from 192.168.38.0/24 to Plant 3 without problems. But after an hour or so, we can't anymore.
On KSIASA01, if I run the Packet Tracer, the failing pings reach "VPN Lookup," and then fail with "(acl-drop) Flow is denied by configured rule."
My research so far tells me that it may be a NAT problem, but I can't figure it out. I will attach sanitized configs for the two ASAs. Thanks in advance for your advice and assistance.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...