Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site-to-site between ASA 5505s: one subnet can't send traffic across VPN

Hello again! In case you saw my last post, I was successful in sorting out the isakmp problem with my site-to-site tunnel a couple of weeks ago.

Everything is running fine now, except for one odd thing. First, some topology:

Our main campus is Plant 1 (192.168.32.0/20), Plant 2 (192.168.16.0/20), and MOS (192.168.0.0/20). The ASA "KSIASA01" is at the main campus.

On the other side of the tunnel, on a ~400kbps SDSL circuit, is Plant 3 (192.168.48.0/20), and the ASA "KSIASA03".

Now, from our main campus, I can ping addresses in Plant 3 just fine if I start from the subnets 192.168.11.0/24, 192.168.18.0/24, 192.168.25.0/24, 192.168.42.0/24. However, several other subnets fail when I ping from the main campus. The one I am most concerned with is 192.168.38.0/24.

Here's the twist: if I ping from Plant 3, I can ping everything in the main campus just fine. Also, after I ping the 192.168.38.0/24 subnet from Plant 3, I can then ping back from 192.168.38.0/24 to Plant 3 without problems. But after an hour or so, we can't anymore.

On KSIASA01, if I run the Packet Tracer, the failing pings reach "VPN Lookup," and then fail with "(acl-drop) Flow is denied by configured rule."

My research so far tells me that it may be a NAT problem, but I can't figure it out. I will attach sanitized configs for the two ASAs. Thanks in advance for your advice and assistance.

  • VPN
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

site-to-site between ASA 5505s: one subnet can't send traffic ac

Hello, Jefferson.

NAT looks fine (on a first glance).

The only issue I found is inconsistency in encryption ACLs:

object-group network Plant1-Plant2-MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Plant1 255.255.240.0

access-list outside_2_cryptomap extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0

vs.

object-group network Plant1Plant2MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Subnet38 255.255.255.0

network-object Subnet42 255.255.255.0

access-list outside_1_cryptomap extended permit ip Plant3 255.255.240.0 object-group Plant1Plant2MOS

2 REPLIES

site-to-site between ASA 5505s: one subnet can't send traffic ac

Hello, Jefferson.

NAT looks fine (on a first glance).

The only issue I found is inconsistency in encryption ACLs:

object-group network Plant1-Plant2-MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Plant1 255.255.240.0

access-list outside_2_cryptomap extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0

vs.

object-group network Plant1Plant2MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Subnet38 255.255.255.0

network-object Subnet42 255.255.255.0

access-list outside_1_cryptomap extended permit ip Plant3 255.255.240.0 object-group Plant1Plant2MOS

New Member

site-to-site between ASA 5505s: one subnet can't send traffic ac

Gah!! How stupid of me. I had fixed that error once already during initial tunnel troubleshooting. I must have not written that change to memory, or something. All is well now. Thank you very much!!

466
Views
0
Helpful
2
Replies
This widget could not be displayed.