I have successfully established a site to site VPN tunnel with a Cisco ASA 5505 and a Symantec Gateway 460R. However, the Cisco ASA log is mpushing out tons of this severity 4 log message:
"IPSEC: Received an ESP packet (SPI= 0x5E4FE6BC, sequence number= 0xD7) from 18.104.22.168 (user= 22.214.171.124) to 126.96.36.199. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 188.8.131.52, its source as 10.4.167.105, and its protocol as 17. The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.4.167.0/255.255.255.0/0/0."
Check the ACL configured on the ASA 5505 to match with the symantec gateway.
On your ASA, the ACL was configured between 192.168.1.x/24 network to 10.4.167.x/24 network. But the packet was received from the address 10.4.167.105 to the address 184.108.40.206, which I believe doesnt belong in your encryption ACL.
Seems like the packet that was received from the symantec gateway does not match the ACL that is configured on the ASA 5505.
The 220.127.116.11 IP belongs to a company that hosts our data images, and its quite regular for the PC's on the Symantec Gateway side to be communicating with it. The wierd thing is that the 10.4.167.105 address is a domain controller, so somehow, communication with the 18.104.22.168 is being routed thru the domain controller and then sent over the encypted VPN to to the ASA 5505.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...