Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1464
Views
0
Helpful
2
Replies

site-to-site between ASA 5505s: one subnet can't send traffic across VPN

Go to solution
jeffrsonk
Level 1
Level 1

‎02-07-2014 01:31 PM

Hello again! In case you saw my last post, I was successful in sorting out the isakmp problem with my site-to-site tunnel a couple of weeks ago.

Everything is running fine now, except for one odd thing. First, some topology:

Our main campus is Plant 1 (192.168.32.0/20), Plant 2 (192.168.16.0/20), and MOS (192.168.0.0/20). The ASA "KSIASA01" is at the main campus.

On the other side of the tunnel, on a ~400kbps SDSL circuit, is Plant 3 (192.168.48.0/20), and the ASA "KSIASA03".

Now, from our main campus, I can ping addresses in Plant 3 just fine if I start from the subnets 192.168.11.0/24, 192.168.18.0/24, 192.168.25.0/24, 192.168.42.0/24. However, several other subnets fail when I ping from the main campus. The one I am most concerned with is 192.168.38.0/24.

Here's the twist: if I ping from Plant 3, I can ping everything in the main campus just fine. Also, after I ping the 192.168.38.0/24 subnet from Plant 3, I can then ping back from 192.168.38.0/24 to Plant 3 without problems. But after an hour or so, we can't anymore.

On KSIASA01, if I run the Packet Tracer, the failing pings reach "VPN Lookup," and then fail with "(acl-drop) Flow is denied by configured rule."

My research so far tells me that it may be a NAT problem, but I can't figure it out. I will attach sanitized configs for the two ASAs. Thanks in advance for your advice and assistance.

Labels:
Preview file
22 KB
Preview file
9 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7

‎02-10-2014 11:48 AM

Hello, Jefferson.

NAT looks fine (on a first glance).

The only issue I found is inconsistency in encryption ACLs:

object-group network Plant1-Plant2-MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Plant1 255.255.240.0

access-list outside_2_cryptomap extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0

vs.

object-group network Plant1Plant2MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Subnet38 255.255.255.0

network-object Subnet42 255.255.255.0

access-list outside_1_cryptomap extended permit ip Plant3 255.255.240.0 object-group Plant1Plant2MOS

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7

‎02-10-2014 11:48 AM

Hello, Jefferson.

NAT looks fine (on a first glance).

The only issue I found is inconsistency in encryption ACLs:

object-group network Plant1-Plant2-MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Plant1 255.255.240.0

access-list outside_2_cryptomap extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0

vs.

object-group network Plant1Plant2MOS

network-object MOS 255.255.240.0

network-object Plant2 255.255.240.0

network-object Subnet38 255.255.255.0

network-object Subnet42 255.255.255.0

access-list outside_1_cryptomap extended permit ip Plant3 255.255.240.0 object-group Plant1Plant2MOS

0 Helpful

Go to solution
jeffrsonk
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎02-10-2014 02:56 PM

Gah!! How stupid of me. I had fixed that error once already during initial tunnel troubleshooting. I must have not written that change to memory, or something. All is well now. Thank you very much!!

0 Helpful
Customers Also Viewed These Support Documents