Recently we upgraded to a Cisco ASA 5512-X with an IPS license. I spent the weekend configuring it, there is one thing I cannot get to work correctly and that is a new IPSec connection from our firewall to the firewall of a supplier which was the primary reason for upgrading to this ASA for our old netgear one as that one would not route to mutliple remote subnets over the tunnel and this one will.
Here is basically what I need. I currently have 2 interfaces on the ASA that access the outside. So here is the concept of the tunnel
I need to connect from our ASA to the suppliers checkpoint firewall and i need about 6 remote subnets to route through the tunnel or transverse the tunnel whichever you prefer. To setup the connection I have to connect from the specific public IP we gave them to their public IP. To establish a connection incoming traffic has to becoming from the public ip we gave them.
So for the configuration I went to the Site-site vpn wizard created the IKEv1 tunnel using the preshared key. The tunnel is set to the interface of the public ip we gave them say 220.127.116.11 for example. The remote endpoint is the one they gave us. Then I have the source address as a specific group of users and i have the destination subnets the supplier provided.
In NAT i have a dynamic PAT rule setup that says source group ip address going to remote subnets will go though the interface that is set up for 18.104.22.168. However the connection is rejected as the host address does not match the address of 22.214.171.124.
Sorry for the most likely noob question I am fairly new to networking, i'm more of a server guy, but nowdays i'm everything IT so this was put onto my workload and i have almost no experience with setting up this type of connection.
If you need anymore info from me to help out please let me know.
For VPN traffic travelling through the Tunnel you need NAT exemption and not PAT.
Does the tunnel come up?
What do you see in ASDM logging?
The simple resolution was for the Local Network in the site to site VPN I was choosing inside hosts and it needed to be from the Comcast interface as that is the address that needed to make the connection. Once I did that I was able to ping through the tunnel successfully.
NAT(PAT) seems to be working fine with the setup.
Thank you for the help.