Re: IPSec and NAT on an ASA

liv2bldcisco · ‎02-09-2009

I have been trying real hard to figure this out but now I am wondering if it is possible at all. We have a customer who wants to setup an IPSec vpn tunnel with them to securely transfer files. The configuration is below

Customer's

server

| CheckPoint

FW (Tunnel endpoint)

|

Internet

|

ASA (Tunnel endpoint)-----Server (Private IP)

The tunnel is created fine but I can't pass any traffic to them and my

suspicion is that it is due to NAT. We are NATing the private IP from

our server to a public IP (static NAT) , but the customer only will

allow public IPs for our encryption domain, not the private IP that is

actually in use. At the heart of this I believe this to be a routing

problem (the customer's server doesn't know how to get back to our

network and/or if it does come back, it isn't getting back to the

correct private IP. I have tried exempting this traffic from NAT policies but can't seem to get any farther in having traffic flow.

So my basic question here is: is this possible to do with this

setup through the ASA and if so how?

Thanks for your input,

Ted

andrew.prince · ‎02-09-2009

Ted,

Sounds to me like a classic case of policy based NAT for your IPSEC tunnel. As you pointed out, can be tricky and both sides need to understand what they need to do.

What you want to do - from the point of the ASA is possible, and from the Checkpoint side also. Happy to help with the config of the ASA, post it and lets see where we can improve it.

HTH>

liv2bldcisco · ‎02-09-2009

Thanks for the reply. Attached is my cfg for the ASA.

Thanks,

ted