[edit security policies] ********POLICIES********* sadm@SRX240# show from-zone trust to-zone untrust { policy outbound { match { source-address internal_host; destination-address Bharat-internal-host; application any; } then { permit { tunnel { ipsec-vpn IPSEC-Tunnel-To-Bharat; } } log { session-init; session-close; } } } policy outbound-1 { match { source-address internal_net; destination-address any-ipv4; application any; } then { permit; log { session-init; session-close; } } } } from-zone untrust to-zone trust { policy inbound-top { match { source-address Bharat-internal-host; destination-address static-translated-ip; application any; } then { permit { tunnel { ipsec-vpn IPSEC-Tunnel-To-Bharat; } } log { session-init; session-close; } } } policy inbound { match { source-address any-ipv4; destination-address internal_host; application any; } then { permit; log { session-init; session-close; } } } } **************ZONES********* sadm@SRX240# show security-zone trust { address-book { address internal_host 172.19.22.50/32; address static-translated-ip 1.1.1.1/32; address internal_net 172.19.22.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; ge-0/0/14.0; } } security-zone untrust { address-book { address Bharat-internal-host 172.16.130.1/32; address Bharat-internal-net 172.16.130.0/24; } screen untrust-screen; host-inbound-traffic { system-services { ssh; https; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { tftp; dhcp; } } } ge-0/0/15.0; } } **************NAT************ [edit security nat] sadm@SRX240# show source { pool A { address { 10.102.101.219/32; } } pool nat-pool { address { 1.1.1.1/32; } } rule-set rs1 { from zone trust; to zone untrust; rule r1 { match { source-address 172.19.22.50/32; destination-address 172.16.130.1/32; } then { source-nat { pool { nat-pool; } } } } } } ***********************CRYPTO ACL ON ASA****************** access-list VPN_ACL line 1 extended permit ip host 172.16.130.1 host 172.19.22.50 (hitcnt=2) 0xed1b88a0 ************************** Errors I get with config above when traffic initiated from SRX %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xF03E7C9F, sequence number= 0x1) from 10.102.100.115 (user= 10.102.100.115) to 10.102.101.102. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 172.16.130.1, its source as 1.1.1.1, and its protocol as icmp. The SA specifies its local proxy as 172.16.130.1/255.255.255.255/ip/0 and its remote_proxy as 172.19.22.50/255.255.255.255/ip/0. I understand why I am getting the error above and it's as I expected. Now lets say I change the crypto acl on ASA to be access-list VPN_ACL line 1 extended permit ip host 172.16.130.1 host 1.1.1.1 If I don't change anything on SRX then proxy id sent by srx to ASA will be 172.16.130.1/255.255.255.255/ip/0 and 172.19.22.50/255.255.255.255/ip/0. which ASA will reject and tunnel will never come up ************************ To get SRX to send 172.16.130.1/255.255.255.255/ip/0 and 1.1.1.1/255.255.255.255/ip/0 as proxy ids instead, I thought of changing the policy on SRX to reflect 1.1.1.1 in policy instead of 172.19.22.50 pseudo code---> from-zone trust to-zone untrust { policy outbound { match { source-address 1.1.1.1/32; destination-address 172.16.130.1/32; application any; } then { permit { tunnel { ipsec-vpn IPSEC-Tunnel-To-Bharat; } from-zone untrust to-zone trust { policy inbound-top { match { source-address 172.16.130.1/32; destination-address 1.1.1.1/32; application any; } then { permit { tunnel { ipsec-vpn IPSEC-Tunnel-To-Bharat; But If I do above then when srx initiates traffic above policy lookup will happen before src-nat and thus above policies will never be hit and thus srx will never try to bring up the tunnel. Thanks!