Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
2
Replies

Problem with ASA's Initiating IPSEC VPN when NAT is used

Go to solution
robierramsey
Level 1
Level 1

‎10-02-2020 12:38 PM

 I have an IKEV2 tunnel that I'm trying to configure.  My problem is that when I introduce NAT into the mixture on the initiating ASA(Away1asa), the tunnel doesn't build.  When I remove NAT the tunnel will build.  When I have NAT in the mix and I send interesting traffic it's as if the policy isn't in use.  As proof of that I look at the debug output from the router that I have that sits between the two ASA's and it sends a reply back to the initiating ASA that says that the destination host is unreachable, stating that the IP address it's trying to reach is the internal LAN address of the Headend/Robot ASA.  I've tried it with and without NAT Exemption on the profile.  Can some one please assist.

 

 ASA IPSEC.jpg

Labels:
Preview file
9 KB
Preview file
10 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-02-2020 12:52 PM

Hi @robierramsey 

I imagine your existing NAT rule is being matched before your NAT exemption rule. Recreate the NAT rule with "after-auto" command, this will move this NAT rule to "Section 3" and apply last, ensuring traffic will match the NAT exemption rule. Try this:-

 

Away1

no nat (inside,outside) source dynamic away-Net1 interface
nat (inside,outside) after-auto source dynamic away-Net1 interface

 

Robotasa
no nat (inside,outside) source dynamic LocalNet interface
nat (inside,outside) after-auto source dynamic LocalNet interface

 

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎10-02-2020 12:52 PM

Hi @robierramsey 

I imagine your existing NAT rule is being matched before your NAT exemption rule. Recreate the NAT rule with "after-auto" command, this will move this NAT rule to "Section 3" and apply last, ensuring traffic will match the NAT exemption rule. Try this:-

 

Away1

no nat (inside,outside) source dynamic away-Net1 interface
nat (inside,outside) after-auto source dynamic away-Net1 interface

 

Robotasa
no nat (inside,outside) source dynamic LocalNet interface
nat (inside,outside) after-auto source dynamic LocalNet interface

 

HTH

0 Helpful

Go to solution
robierramsey
Level 1
Level 1
In response to Rob Ingram

‎10-02-2020 01:02 PM

OOOOOOOOOOOOOH MY GOSH!!!!!  I've been punching walls and kicking chairs for a week on this problem.  Thanks Rob.  That fixed my issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents