[c-nsp] VPN IPsec and NAT
Garrett Skjelstad
garrett at skjelstad.org
Wed Oct 12 11:50:38 EDT 2016
Post relevant sanitized phase2 configurations.
Mainly your ACLs.
On Oct 12, 2016 04:37, "Tseveendorj Ochirlantuu" <tseveendorj at gmail.com>
wrote:
> Hello
>
> I'm new to site to site IPsec VPN and also ASA 5505 firewall.
>
> My site to site IPsec VPN tunnel established between SiteA to SiteB. And
> can ping IP behind firewall. Now I need to
>
> Site A is VPN one end
> Site B is VPN other end
> Site C is VPN other end
> IP1 is located outside of Site B.
>
>
> SiteA -----------------------------------> SiteB
> --------------------------------> SiteC
> Site to Site VPN Site to Site
> VPN
>
> Which means SiteB has two IPsec VPN config.
>
>
> Now I want to if Site A access to IP1 then it goes over VPN and Site B's
> firewall should NAT Site A's LAN IP to It's outside interface address (PAT
> overload) and reach to IP1.
>
>
> I'm trying to this but no success. I have log in firewall. I just sanitize
> IP address to above name
>
> %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x05673803, sequence
> number= 0x75) from "SiteA Public IP" (user= "SiteA Public IP") to "SiteB
> Public IP". The decapsulated inner packet doesn't match the negotiated
> policy in the SA. The packet specifies its destination as "IP1", its
> source as "SiteA Local IP", and its protocol as 6. The SA specifies its
> local proxy as "SiteC Local Subnet"/0/0 and its remote_proxy as "SiteA
> Local subnet" /0/0.
>
> What is the problem ? Thank you.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list