We have a Cisco ASA 5520 running the ASA 8.25(x) software and we are trying to build a IPSec VPN tunnel to a site that uses a Cisco 7206. We can build PHASE 1 just fine but we are getting errors on PHASE 2. The problem seems to be that the outside interface on the ASA has a non-routable IP that gets NAT'ed to a routable IP through a Juniper firewall. The Cisco 7206 sees the physical IP of the ASA which is not the same as the peer IP and fails to build PHASE 2. Now, we have over 120 IPSec VPN tunnels on our ASA and it works fine. We have had this similar issue come up before (mostly with SonicWalls) and we normally get the client side to enter our ASA physical outside interface IP in their peer id validation field which normally fixes the problem. Unfortunately, I don't have control on the Cisco 7206 side nor do I have access to the logs but the site assures me that they are seeing my physical interface IP instead of the routable outside IP when the tunnel tries to build. Does anyone know if the Cisco 7206 has the ability to enter the peer ID and what the command would be? The administrators of the 7206 also have some existing VPN tunnels that are working but they have never encountered this particular issue and are unfamiliar with this problem. Thanks in advance.
... View more