02-09-2009 07:33 AM - edited 02-21-2020 04:09 PM
I have been trying real hard to figure this out but now I am wondering if it is possible at all. We have a customer who wants to setup an IPSec vpn tunnel with them to securely transfer files. The configuration is below
FW (Tunnel endpoint)
ASA (Tunnel endpoint)-----Server (Private IP)
The tunnel is created fine but I can't pass any traffic to them and my
suspicion is that it is due to NAT. We are NATing the private IP from
our server to a public IP (static NAT) , but the customer only will
allow public IPs for our encryption domain, not the private IP that is
actually in use. At the heart of this I believe this to be a routing
problem (the customer's server doesn't know how to get back to our
network and/or if it does come back, it isn't getting back to the
correct private IP. I have tried exempting this traffic from NAT policies but can't seem to get any farther in having traffic flow.
So my basic question here is: is this possible to do with this
setup through the ASA and if so how?
Thanks for your input,
02-09-2009 07:50 AM
Sounds to me like a classic case of policy based NAT for your IPSEC tunnel. As you pointed out, can be tricky and both sides need to understand what they need to do.
What you want to do - from the point of the ASA is possible, and from the Checkpoint side also. Happy to help with the config of the ASA, post it and lets see where we can improve it.
02-09-2009 08:11 AM
Thanks for the reply. Attached is my cfg for the ASA.
02-11-2009 10:58 AM
I found this documentation on Cisco's site
products_configuration_example09186a00808c9950.shtml) which best
depicts my situation and found out that I indeed was configuring it
like this already but it still doesn't work. As I have some example to
go by, I have contacted the other company in an effort to try and see
if they can see any traffic trying to go across the tunnel. Having so many different variables and not being in control of
the other side of the tunnel is making me a bit crazy. The other
company gave me an IP to ftp to through the tunnel for test, but I am
now even questioning if that is right, as that too would explain why
the traffic isn't going across.
02-11-2009 12:11 PM
I am familiar with both Checkpoint and ASA.
Can you repost your ASA configuration so
that I may be able to help you.
The configuration on the Checkpoint side
is very straight forward. The checkpoint
only needs to know the Public IP addresses
of the NAT'ed private network on your end
so that when it creates an Interoperable
Device, it includes that in the remote
encryption domain. Post your config and
I may be able to help you.
02-11-2009 01:30 PM
02-11-2009 06:28 PM
Looking at your configuration, I am assuming this:
1- access-list policy-nat extended permit ip host 10.10.12.39 126.96.36.199 255.0.0.0
static (delta,outside) 188.8.131.52 access-list policy-nat
access-list outside_cryptomap_20 extended permit ip host 184.108.40.206 220.127.116.11 255.0.0.0
access-list outside_cryptomap_20 extended permit tcp host 18.104.22.168 22.214.171.124 255.0.0.0
access-list outside_cryptomap_20 extended permit udp host 126.96.36.199 188.8.131.52 255.0.0.0
access-list outside_cryptomap_20 extended permit icmp host 184.108.40.206 220.127.116.11 255.0.0.0
2- the network behind the CP side is 18.104.22.168/8,
3- VPN traffics will be from host 22.214.171.124 going to 126.96.36.199/8
Here is the solution:
1- on the Checkpoint side, the local encryption domain will be 188.8.131.52/8. This network will go under the Checkpoint,
2- create an Interoperable device for the
ASA, and put host 184.108.40.206 in the ASA
3- create a VPN community, make sure you
disable NAT inside VPN community. This
is important because the CP knows nothing
about NAT on your end. CP only knows
about the host 220.127.116.11 network,
4- run tcpdump and "debug vpn ikeon" and
look at the debug information.
Your configuration looks ok.
02-12-2009 06:42 AM
Thanks a bunch for looking this over and sharing your knowledge with regard to the checkpoint cfg. You are correct in all your assumptions from my ASA cfg.I know for a fact that they set the encryption domain on the checkpoint side to 18.104.22.168/24. Could this be where the problem comes from since the tunnel endpoint is listed as being a part of the encryption domain on the checkpoint?
02-12-2009 07:04 AM
Please only put host 22.214.171.124 under
Checkpoint local encryption domain. You
must NOT put the whole /24 under the
Checkpoint local encryption domain. That
explained why you has the issue, IMHO.
Furthermore, please select "exchange key
per hosts" under the CP VPN community,
if you use VPN simplified mode.
Let me know if you still have issues.
02-12-2009 09:10 AM
Thanks again for your insight. I have made the request to have the encryption domain changed but that will most likely take a couple days before they get it done. I will post back the result.
02-19-2009 09:09 AM
They finally made the change to the encryption domain to the one ip address and I can successfully pass traffic through. Thanks again for all the help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: