nat transversal remote site

Toolshedr6 · ‎07-30-2018

Hi,

Trying to set up IPSEC tunnel with another site (non cisco). i'm running ASA 5540. Im nating public IP address from my wan router to ASA interface in DMZ. Vendor is getting an error that both IPs need to match and he cant enable nat transversal. Anything I can do on my end (port forwarding etc...).

I'm able to establish phase 2 but traffic is not crossing through the tunnel

Francesco Molino · ‎07-30-2018

Hi

Just to clarify:
- you're doing port forwarding for ipsec ports to your asa or 1:1 nat?
- your tunnel is up between your asa and remote firewall?

Can you share your config please add sh crypto ipsec and sho cry isakmp outputs?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Toolshedr6 · ‎07-31-2018

Its 1:1 NAT

tunnel is up. took a while to get to phase 2 but its initiated just don't see packets being exchange. On vendor site his firewall is showing that IPs need to match.

IKE Peer: x.x.x.x Role: responder

Type: L2L State: MM_ACTIVE

Rekey: no

I think they made some changes on their end. Can't do IPSEC right now. was able last evening

Error on their side is similar to we require to have peer id 'our public IP here" but peer declares 'ASA interface IP in DMZ here'

Rob Ingram · ‎07-31-2018

Hi, So your ASA is identifying it's self using it's local interface IP address but the Vendor is expecting it from the natted IP address. Try sending a specific identity "crypto isakmp identity {address | hostname}", e.g. use the IP address of the public natted ip.

Failing that send the output that Francesco previously requested.

HTH