[c-nsp] VPN IPsec and NAT

Tseveendorj Ochirlantuu tseveendorj at gmail.com
Wed Oct 12 07:37:28 EDT 2016


Hello

I'm new to site to site IPsec VPN and also ASA 5505 firewall.

My site to site IPsec VPN tunnel established between SiteA to SiteB. And
can ping IP behind firewall. Now I need to

Site A is VPN one end
Site B is VPN other end
Site C is VPN other end
IP1 is located outside of Site B.


SiteA -----------------------------------> SiteB
--------------------------------> SiteC
                Site to Site VPN                              Site to Site
VPN

Which means SiteB has two IPsec VPN config.


Now I want to if Site A access to IP1 then it goes over VPN and Site B's
firewall should NAT Site A's LAN IP to It's outside interface address (PAT
overload) and reach to IP1.


I'm trying to this but no success. I have log in firewall. I just sanitize
IP address to above name

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x05673803, sequence
number= 0x75) from "SiteA Public IP" (user= "SiteA Public IP") to "SiteB
Public IP".  The decapsulated inner packet doesn't match the negotiated
policy in the SA.  The packet specifies its destination as "IP1", its
source as "SiteA Local IP", and its protocol as 6.  The SA specifies its
local proxy as "SiteC Local Subnet"/0/0 and its remote_proxy as "SiteA
Local subnet" /0/0.

What is the problem ? Thank you.


More information about the cisco-nsp mailing list