Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
0
Helpful
1
Replies

ASA (8.0(4)) VPN with NAT issues

joerggrau
Level 1
Level 1

‎02-07-2011 12:30 PM

I am trying to setup a VPN tunnel with one of our customers.  We usually do all the NATing on a separate ASA, but for this tunnel we have to do it on the same ASA.  Now from what I can tell ,my traffic is being NATed, but the ASA does not seem to think it belongs in the tunnel.  It is not being encrypted and send out the interface, but not the tunnel.

Here is the basic layout:

  • I have a protected DMZ.  A server on that DMZ (192.168.6.5, or 192.168.6.6) connects to an internal NAT (192.168.6.34).
  • A dynamic policy hides the two servers (.5 and .6) behind an external IP address (10.10.10.5),  the intern al NAT has been statically NATed to the IP address of the customer server (100.100.100.100).
  • The VPN peer on the customer site (200.200.200.200) is configured.
  • Static route for 100.100.100.100 via 200.200.200.200 is configured on the ASA.
  • We also have an external IP address (10.10.10.6) that is exposed to the customer and statically NATed to internal server (192.168.6.10).
    • for this exposed IP address, the customer will always come in with the same IP (100.100.100.101), which is also NATed statically to (192.169.6.35)

Now when the customer is attempting to access the exposed IP address (10.10.10.6), the tunnel establishes correctly, but the return traffic is NOT put back into the tunnel.

I am not sure where I have gone wrong, but my rules seem to lead the ASA to believe the traffic does not belong in the tunnel.

Any help would be appreciated

Thanks

Joerg

Labels:
0 Helpful
1 Reply 1

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-07-2011 12:59 PM

Hi,

The problem seems to be on your end because the traffic is not sent through the tunnel.

You're seeing the local traffic being NATed but not encrypted... do you have the crypto ACL specifying the NATed address instead than the real address?

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents