Showing results for 
Search instead for 
Did you mean: 

Help with VPN site-to-site under other VPN

Hello Guys,


I need a help with this scenario.


Branch --> HQ --> Site Remote, where:

Branch: Internal =

HQ: Internal =

Site Remote =


Branch + HQ = Both ASA with ESP-3DES-MD5. (Here, we are using the real LAN IP range for encryption domain)

HQ + Site Remote = My side ASA with ESP-AES-256-SHA. (Here, to reach the Site remote we are NAT our LAN IP range to, so the encryption domain is -->


Now, we need that Branch reachs the Remote Site, under the VPN with Branch to HQ and HQ to Remote Site.

My actions:

Branch Firewall:

 - In the VPN Site to Site configuration I added the for Tunnel between Branch and HQ in the Remote Network.

 - I added the EXEMPT for in the inside.

HQ Firewall:

 - In the VPN Site to Site configuration I added the for Tunnel between Branch and HQ in the Remote Network.

 - I created a Dynamic Policy in the outside from source = Branch IP range to = Site Remote IP range translated to


I already have it working for another Site Remote, but that another has IPsec proposal ESP-3DES-MD5. (the same of Branch) I do not know if it is the problem, but I tried to use both proposal, together, 3DES-MD5 and AES-256-SHA.


Firewall rules are ok too.


Where are the mistake in that configuration?





1 Accepted Solution

Accepted Solutions


put solved in this post

View solution in original post

9 Replies 9



post your config


Follow attached!

The network that I need to reach from Branch is "name REDE_Client"

The Tunnel group of the Client is

The NAT IP from my network to reach client is

hi seg

I looked very quick HQ config

and I saw that your peer(vpn_client) dont match any crypto map.

and this dont allow phase2.

I have not seen anything else
you double-check the config on both sides first.


My bad. I forgot to change it. The crypto map is number 4

diego, your config is wrong also in branch config.

you have only an tunnel group whit ip but crypto map is blind to FWL_Matriz.


In the HQ log I can see it...

3May 13 201417:23:08713061    Group =, IP = 189..7.7.7, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy local proxy on interface outside

What do you want me to say 
 you have posted a different conf,than your debug

yeah, probably because I changed it before send...

well... I recreated the tunnels and now it is working fine....

I think when we changed the outside IP and recreate the tunnels, maybe some dirty kept in the config... so I removed all and created it again..




put solved in this post

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: