Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Site access to new Data Center

I need some helping setting up my VPN Concentrator so that our remote sites can access devices at our new data center.

Here's how things are set up.

Data Center:

Corporate: &

Currently devices in & network can access devices in network and devices can access and networks.

On our concentrator ( I have added a static route of to (our switch). In the switch is a static route that says all traffic go out through our MPLS router (

On the concentrator I am able to ping my devices at the data center.

But I can not ping any devices at the remote sites from the data center. And I can't ping any devices at the data center from the remote sites.

The remote sites are using a Cisco Pix 506e to establish their vpn tunnel back to corporate.

I have tried adding network to the network list that I use on the concentrator as well as adding to my pix access-list:

access-list nonat permit ip

access-list nonat permit ip

access-list nonat permit ip

access-list us_HQ permit ip

access-list us_HQ permit ip

access-list us_HQ permit ip

But once I do that then my VPN tunnel for my remote sites keep going up and down with the error message:

"Tunnel rejected: Policy not found for Src:, Dst:"

Can someone help me out?

Thanks in advanced?

New Member

Re: Remote Site access to new Data Center

%PIX|ASA-3-713061: Tunnel rejected: Crypto Map Policy not found for

Src:source_address, Dst: dest_address!

Explanation This message indicates that the security appliance was not able to find security policy information for the private networks or hosts indicated in the message. These networks or hosts were sent by the initiator and do not match any crypto ACLs at the security appliance. This is most likely a misconfiguration.

Recommended Action Check the protected network configuration in the crypto ACLs on both sides and make sure that the local net on the initiator is the remote net on the responder and vice-versa. Pay special attention to wildcard masks, host addresses versus network addresses, and so on. Non-Cisco implementations may have the private addresses labeled as proxy addresses or red networks.