I am trying without success to allow traffic through a VPN that terminates on my ASA firewall. It is a site to site VPN with the distant end being a Juniper Netscreen. It is a working tunnel and I am trying to add access to a specific pair of hosts to and from a specific subnet. When I use the packet tracer tool in ASDM it report that the flow is not allowed because of "(acl-drop) Flow is denied by configured rule." this happens in the VPN section of the packet tracer display.
The flow I was tracing was from 172.17.25.14 port 49 (on the inside) to 10.10.50.253 also on port 49 (on the outside).
My cryptomap acl includes the following line:
access-list outside_cryptomap_20 line 1 extended permit ip host 172.17.25.14 10.10.48.0 255.255.252.0 (hitcnt=330) 0x46d3dd4b
However the ASA syslog is filling up with entries like:
3 Dec 27 2009 08:03:55 713042 IKE Initiator unable to find policy: Intf outside, Src: 172.17.25.14, Dst: 10.10.50.253
The help for this message says to check my L2L policies. The cryptomap ACL would seem to be the relevant policy.
What am I doing wrong?