Cisco ASA VPN issue

[paradigm]

Pulling my hair out here over something that should have been massively simple. Needed to two new subnets, one per site, to our network. Traffic from these subnets should be allowed over the site-to-site tunnel.

I created the new subnets locally (on 3750-X switching, just for clarity), then created the relevant network objects on the ASAs and added those network objects to the network object groups that correspond to both ends of the (already existing) tunnel. Simplified, the network topology is like this:

3750X Switching (L3 Routing enabled) <---> ASA 5512X <---> WAN <---> ASA 5510 <---> 3750G Switching (L3 Routing enabled).

Now, traffic was already flowing for the previously existing subnets (SERVERS, CLIENT, WIFI), and these subnets are either part of a network object group called VPN_NET_LOCAL or VPN_NET_REMOTE depending on which end of the tunnel they are. The new subnets were added to these groups in theory resulting in no further configuration required (as the No-NAT rules, access rules, crypto maps, etc were all referencing the group objects).

Yet here I am, with traffic to Site B's new subnet from Site A being completely unreachable, yet traffic to Site A's new subnet from Site B's old subnets is fine

Halp plz.

 

[leigh_boy]

need to see the show run from all of them. change the wan ips though for reference.

 

[leigh_boy]

i will put money on an access list issue though.

 

[DJMK4]

Main things here would be to check cryptomap ACLs, check standard/extended ACL's, check NO NATs


Might also be worth pasting the packet-tracer outputs from either end when you packet trace from one end to the other, and vice versa. To see what happens when the traffic is simulated from either end, is it going through all the stages? is it being blocked somewhere? is it encrypting the traffic correctly.

 

[Xez]

Certainly sounds ACL, NAT or route related if the tunnel is up and running. Need the configurations though really.