Re: ASA FW site-to-site vpn setup with Netscreen FW from Abiola Jewoola on 2011-03-16 (Ccielab archives 03/2011)

From: Abiola Jewoola <biola_y2k_at_yahoo.com>
Date: Wed, 16 Mar 2011 04:09:13 -0700 (PDT)

Are u doing any NAT stuff on your ASA?

--- On Wed, 3/16/11, Mad_Prof <dr3d3m3nt0_at_gmail.com> wrote:

From: Mad_Prof <dr3d3m3nt0_at_gmail.com>
Subject: Re: ASA FW site-to-site vpn setup with Netscreen FW
To: "kawaii mak" <kawaii00mak_at_gmail.com>
Cc: "Cisco certification" <ccielab_at_groupstudy.com>
Date: Wednesday, March 16, 2011, 2:17 AM

Compare the output of these commands :

Netscreen
get sa
get sa id xxx

ASA
show crypto ipsec sa peer x.x.x.x

This should be enough if Phase 2 is formed.

On Wed, Mar 16, 2011 at 1:25 AM, kawaii mak <kawaii00mak_at_gmail.com> wrote:

> Dear Expert,
> I have a question about a Cisco FW (ASA5520+ with v8.2(2)) setup to connect
> a Netscreen SSG20 for Site-to-Site VPN tunnel.
> Tunnel negotiation was completed Phase1 & Phase2. Private traffic initiated
> from ASA side(10.194.x.x) to Netscreen side(192.168.x.x) but seems there is
> unreachable. And some of message occurs in ASA while packet return back
> from
> Netscreen side as follow. Is anything wrong in configuration to triggle for
> these message????
> P'se help!!! Thank.
>
> firewall log
> ==============
> 4|Mar 15 2011 12:26:53|402116: IPSEC: Received an ESP packet (SPI=
> 0x24F592BC, sequence number= 0x1) from 210.x.x.x (user= 210.x.x.x) to
> 203.x.x.x. The decapsulated inner packet doesn't match the negotiated
> policy in the SA. The packet specifies its destination as 203.x.x.x, its
> source as 210.x.x.x, and its protocol as 1. The SA specifies its local
> proxy as 10.194.x.x/255.255.255.255/0/0 and its remote_proxy as
> 192.168.x.x/
> 255.255.255.255/0/0.
>
> Regards,
> Kawaii
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
It is said that if you know your enemies and know yourself, you will not be
imperiled in a hundred battles; if you do not know your enemies but do know
yourself, you will win one and lose one; if you do not know your enemies nor
yourself, you will be imperiled in every single battle.
Blogs and organic groups at http://www.ccie.net

Received on Wed Mar 16 2011 - 04:09:13 ART

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART