Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
15
Helpful
4
Replies

IKEV2 IPSEC VTI behind NAT - ASA to ASA - L2L

Go to solution
Prime56
Level 1
Level 1

‎02-17-2022 01:47 PM

Hi all,

 

I've been having really easy success configuring my route based tunnels from ASA to ASA. One of my sites though, has its outside IP as a private IP then gets NATd by the modem etc, and sent out.

I have NAT traversal enabled on both ASAs.

In my configs, do I need to have the peer IP as the internal IP address? I can't seem to get the tunnel to come up.

My private IP address right now on ASA 1 is 192.168.0.69 (outside)

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Prime56
Level 1
Level 1
In response to MHM Cisco World

‎02-17-2022 02:05 PM

Why is it that everytime I post I figure the issue out?

I had to contact my carrier to tell me my public IP since I didn't have access to remote machines to go online and figure it out. They gave me it, but turns out it was the wrong one.......

Had a user go and give me the IP from ipchicken.com and all is well.....I put too much trust in people sometimes LOL

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎02-17-2022 02:01 PM - edited ‎02-17-2022 02:06 PM

...

0 Helpful

Go to solution
Prime56
Level 1
Level 1
In response to MHM Cisco World

‎02-17-2022 02:05 PM

Why is it that everytime I post I figure the issue out?

I had to contact my carrier to tell me my public IP since I didn't have access to remote machines to go online and figure it out. They gave me it, but turns out it was the wrong one.......

Had a user go and give me the IP from ipchicken.com and all is well.....I put too much trust in people sometimes LOL

Go to solution
MHM Cisco World
VIP
VIP
In response to Prime56

‎02-17-2022 02:09 PM

Good Job Man, Yes sometimes you 100% your step is right but still some wrong info. make you crazy.
good luck man

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎02-17-2022 02:04 PM - edited ‎02-17-2022 02:07 PM

In order to bring the tunnel up you need to define the public IP address on your firewall both firewall.

 

I assume the ASA Firewall behind the router. this router an upstream is natting the public IP address to the private IP address of the ASA's outside that will work. if this is correct in that case you need to define the router public ip address on your other end firewall to bring up the tunnel as the router will change the UDP 500 into UDP 4500. plus NAT traversal is on by default on the ASA firewalls

 

please do not forget to rate.
Customers Also Viewed These Support Documents