Hello every one.
I have a funny problem with ASA5510 VPN
I have created two VPN tunnel with two offices.
ASA to D-LINK VPN router
ASA tp 1751 like Router.
both the tunnels are established and I can ping from D-LINK local net to ASA local net but I can not ping from the 1751 local net to ASA local net. the error I am getting is bellow
2 12:04:45 IPSEC_PACKET(decaps):
rec'd IPSEC packet from 192.168.1.2 to 192.168.240.200 does not agree with policy.
(SPI)destaddr=x.x.x.x,prot=-1515870811,spi=a5a5a5a5(-1515870811)
where the 192.168.240.200 is from 1751 local lan and 192.168.1.2 is the ASA lan
bellow is my config
ASA for the 1751
access-list SSDT extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0
crypto map VPNmap 30 match address SSDT
crypto map VPNmap 30 set pfs
crypto map VPNmap 30 set peer x.x.x.x
crypto map VPNmap 30 set transform-set ESP-3DES-MD5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group 202.22.193.176 type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
------
1751 config
crypto isakmp key cisco y.y.y.y 255.255.255.255
!
crypto isakmp policy 1
encryption 3des
group 2
hash md5
!
crypto ipsec transform-set ts
transform-type esp-3des esp-md5-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer y.y.y.y
set pfs group2
set security-association lifetime seconds 86400
set transform-set ts
match address vpn
ip access-list extended vpn
permit ip 192.168.240.0 255.255.255.0 192.168.1.0 255.255.255.0 log
--
nat (inside) 0 access-list NONAT is implemented on the ASA side to exempt local net to go via nat for the remote office LAN.
can any one tell me why I am having this error
I have access-list implementd on the 1751 to block some specific traffic to the internet.