I need some helping setting up my VPN Concentrator so that our remote sites can access devices at our new data center.
Here's how things are set up.
Data Center: 10.110.1.0
Corporate: 192.168.0.0 & 192.168.1.0
Currently devices in 192.168.0.0 & 192.168.1.0 network can access devices in 10.110.1.0 network and 10.110.1.0 devices can access 192.168.0.0 and 192.168.1.0 networks.
On our concentrator (192.168.0.252) I have added a static route of 10.0.0.0 255.0.0.0. to 192.168.0.254 (our switch). In the switch is a static route that says all 10.0.0.0 traffic go out through our MPLS router (192.168.1.1).
On the concentrator I am able to ping my devices at the data center.
But I can not ping any devices at the remote sites from the data center. And I can't ping any devices at the data center from the remote sites.
The remote sites are using a Cisco Pix 506e to establish their vpn tunnel back to corporate.
I have tried adding 10.0.0.0 network to the network list that I use on the concentrator as well as adding 10.0.0.0 to my pix access-list:
access-list nonat permit ip 192.168.41.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.41.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.41.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list us_HQ permit ip 192.168.41.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list us_HQ permit ip 192.168.41.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list us_HQ permit ip 192.168.41.0 255.255.255.0 192.168.1.0 255.255.255.0
But once I do that then my VPN tunnel for my remote sites keep going up and down with the error message:
"Tunnel rejected: Policy not found for Src:192.168.41.0, Dst: 10.0.0.0"
%PIX|ASA-3-713061: Tunnel rejected: Crypto Map Policy not found for
Src:source_address, Dst: dest_address!
Explanation This message indicates that the security appliance was not able to find security policy information for the private networks or hosts indicated in the message. These networks or hosts were sent by the initiator and do not match any crypto ACLs at the security appliance. This is most likely a misconfiguration.
Recommended Action Check the protected network configuration in the crypto ACLs on both sides and make sure that the local net on the initiator is the remote net on the responder and vice-versa. Pay special attention to wildcard masks, host addresses versus network addresses, and so on. Non-Cisco implementations may have the private addresses labeled as proxy addresses or red networks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...