Showing results for 
Search instead for 
Did you mean: 

IPSEC site to site vpn with NAT on one of the tunnel endpoints‏


Hi All

I am having problems with L2L ipsec VPN, as the tunnel is not initiating at all... I have ASA on the A-end and PIX on B-end. The ASA on the A-end is also doing NAT of both source and destination and it is also tunnel endpoint.

the topology is like this. Note the LAN addresses specified are not directly connected but behind the ASA and PIX

( ----- --A-end - (ASA)--------------------------- INTERNET -------------------- B-end PIX ---- (

NAT ON ASA - (server) NAT'ed TO - SO B-end see's this server as address NAT TO - So A-end see's B-end subnet as

The problem is that the tunnel is not even initiating... i have attached config...

A-end ASA

ASA Version 7.2(3)

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address standby


interface GigabitEthernet0/2

nameif outside

security-level 0

ip address standby

access-list proxy_acl extended permit ip host

access-list proxy_acl extended permit ip

access-list outside extended permit icmp any any

access-list outside extended permit esp any any

access-list outside extended permit udp any any eq isakmp

access-list inside extended permit ip any any

access-list policy-nat-1 extended permit ip any

access-list policy-nat-1 extended permit ip any

global (outside) 1

nat (inside) 1 access-list policy-nat-1

static (inside,outside) netmask

static (outside,inside) netmask

access-group inside in interface inside

access-group outside in interface outside

route inside

route inside

route outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map CRY-MAP 10 match address proxy_acl

crypto map CRY-MAP 10 set peer

crypto map CRY-MAP 10 set transform-set ESP-3DES-SHA

crypto map CRY-MAP 10 set security-association lifetime seconds 28800

crypto map CRY-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400


tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

B-end PIX

access-list proxy-acl permit ip

access-list no_nat permit ip

nat (data) 0 access-list no_nat

crypto ipsec transform-set 3dessha1 esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address proxy-acl

crypto map vpn 10 set peer

crypto map vpn 10 set transform-set 3dessha1

crypto map vpn interface outside

isakmp key ******** address netmask

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

1 Reply 1


ASA config:-

- There is no route for - you have a route for 10/8 pointing to the inside. add another route:-

route outside

PIX Config:-

- you have the acl access-list proxy-acl permit ip

BUT you are natting the host to address - the IP's dont match.

Also make sure you have a route.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers