Post relevant sanitized phase2 configurations.

Mainly your ACLs.

On Oct 12, 2016 04:37, "Tseveendorj Ochirlantuu" <>

> Hello
> I'm new to site to site IPsec VPN and also ASA 5505 firewall.
> My site to site IPsec VPN tunnel established between SiteA to SiteB. And
> can ping IP behind firewall. Now I need to
> Site A is VPN one end
> Site B is VPN other end
> Site C is VPN other end
> IP1 is located outside of Site B.
> SiteA -----------------------------------> SiteB
> --------------------------------> SiteC
>                 Site to Site VPN                              Site to Site
> Which means SiteB has two IPsec VPN config.
> Now I want to if Site A access to IP1 then it goes over VPN and Site B's
> firewall should NAT Site A's LAN IP to It's outside interface address (PAT
> overload) and reach to IP1.
> I'm trying to this but no success. I have log in firewall. I just sanitize
> IP address to above name
> %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x05673803, sequence
> number= 0x75) from "SiteA Public IP" (user= "SiteA Public IP") to "SiteB
> Public IP".  The decapsulated inner packet doesn't match the negotiated
> policy in the SA.  The packet specifies its destination as "IP1", its
> source as "SiteA Local IP", and its protocol as 6.  The SA specifies its
> local proxy as "SiteC Local Subnet"/0/0 and its remote_proxy as "SiteA
> Local subnet" /0/0.
> What is the problem ? Thank you.
> _______________________________________________
> cisco-nsp mailing list
> archive at
cisco-nsp mailing list
archive at

Reply via email to