Post relevant sanitized phase2 configurations. Mainly your ACLs.
On Oct 12, 2016 04:37, "Tseveendorj Ochirlantuu" <tseveend...@gmail.com> wrote: > Hello > > I'm new to site to site IPsec VPN and also ASA 5505 firewall. > > My site to site IPsec VPN tunnel established between SiteA to SiteB. And > can ping IP behind firewall. Now I need to > > Site A is VPN one end > Site B is VPN other end > Site C is VPN other end > IP1 is located outside of Site B. > > > SiteA -----------------------------------> SiteB > --------------------------------> SiteC > Site to Site VPN Site to Site > VPN > > Which means SiteB has two IPsec VPN config. > > > Now I want to if Site A access to IP1 then it goes over VPN and Site B's > firewall should NAT Site A's LAN IP to It's outside interface address (PAT > overload) and reach to IP1. > > > I'm trying to this but no success. I have log in firewall. I just sanitize > IP address to above name > > %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x05673803, sequence > number= 0x75) from "SiteA Public IP" (user= "SiteA Public IP") to "SiteB > Public IP". The decapsulated inner packet doesn't match the negotiated > policy in the SA. The packet specifies its destination as "IP1", its > source as "SiteA Local IP", and its protocol as 6. The SA specifies its > local proxy as "SiteC Local Subnet"/0/0 and its remote_proxy as "SiteA > Local subnet" /0/0. > > What is the problem ? Thank you. > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/