ASA (8.0(4)) VPN with NAT issues

joerggrau — Mon, 07 Feb 2011 20:30:33 GMT

I am trying to setup a VPN tunnel with one of our customers. We usually do all the NATing on a separate ASA, but for this tunnel we have to do it on the same ASA. Now from what I can tell ,my traffic is being NATed, but the ASA does not seem to think it belongs in the tunnel. It is not being encrypted and send out the interface, but not the tunnel.

Here is the basic layout:

I have a protected DMZ. A server on that DMZ (192.168.6.5, or 192.168.6.6) connects to an internal NAT (192.168.6.34).
A dynamic policy hides the two servers (.5 and .6) behind an external IP address (10.10.10.5), the intern al NAT has been statically NATed to the IP address of the customer server (100.100.100.100).
The VPN peer on the customer site (200.200.200.200) is configured.
Static route for 100.100.100.100 via 200.200.200.200 is configured on the ASA.
We also have an external IP address (10.10.10.6) that is exposed to the customer and statically NATed to internal server (192.168.6.10).
- for this exposed IP address, the customer will always come in with the same IP (100.100.100.101), which is also NATed statically to (192.169.6.35)

Now when the customer is attempting to access the exposed IP address (10.10.10.6), the tunnel establishes correctly, but the return traffic is NOT put back into the tunnel.

I am not sure where I have gone wrong, but my rules seem to lead the ASA to believe the traffic does not belong in the tunnel.

Any help would be appreciated

Thanks

Joerg

Re: ASA (8.0(4)) VPN with NAT issues

Federico Coto Fajardo — Mon, 07 Feb 2011 20:59:42 GMT

Hi,

The problem seems to be on your end because the traffic is not sent through the tunnel.

You're seeing the local traffic being NATed but not encrypted... do you have the crypto ACL specifying the NATed address instead than the real address?

Federico.

topic ASA (8.0(4)) VPN with NAT issues in VPN

ASA (8.0(4)) VPN with NAT issues

Re: ASA (8.0(4)) VPN with NAT issues