Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


ASA to Cisco 7206 IPSec VPN problem

We have a Cisco ASA 5520 running the ASA 8.25(x) software and we are trying to build a IPSec VPN tunnel to a site that uses a Cisco 7206. We can build PHASE 1 just fine but we are getting errors on PHASE 2. The problem seems to be  that the outside interface on the ASA has a non-routable IP that gets NAT'ed to a routable IP through a Juniper firewall. The Cisco 7206 sees the physical IP of the ASA which is not the same as the peer IP and fails to build PHASE 2.

Now, we have over 120 IPSec VPN tunnels on our ASA and it works fine. We have had this similar issue come up before (mostly with SonicWalls) and we normally get the client side to enter our ASA physical outside interface IP in their peer id validation field which normally fixes the problem. Unfortunately, I don't have control on the Cisco 7206 side nor do I have access to the logs but the site assures me that they are seeing my physical interface IP instead of the routable outside IP when the tunnel  tries to build.

Does anyone know if the Cisco 7206 has the ability to enter the peer ID and what the command would be? The administrators of the 7206 also have some existing VPN tunnels that are working but they have never encountered this particular issue and are unfamiliar with this problem.

Thanks in advance.

Everyone's tags (2)
Cisco Employee

ASA to Cisco 7206 IPSec VPN problem

on any IOS device, what you describe could cause a problem if isakmp profiles are in use.

I.e. from IOS's perspective communication comes from public routable IP address BUT inside IKE MM5/MM6 packets ASA will provide it's non-routable IP address (as it's indentity).

This is expected, typically it's just a question of adjusting isakmp profile's match statement to account for this identity.

Looks like folks on the 7200 side should look into this.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here