Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
2
Replies

VPN - ONE ASA BEHIND NAT

filip00011
Level 1
Level 1

‎05-08-2018 04:29 PM - edited ‎03-12-2019 05:16 AM

I have two ASA (see the picture)

ASA in europe sits behind NAT.

There are two tunnels. The one that comes up first works. The other one has 0 decrypted packets.

Packets are being encrypted for both tunnels on USA side.

Is there any solution?

Labels:
Preview file
24 KB
0 Helpful
2 Replies 2

GioGonza
Level 4
Level 4

‎05-09-2018 08:14 AM

Hello @filip00011,

 

Can you share the configuration for both devices in order to check them further?

 

Gio

0 Helpful

filip00011
Level 1
Level 1
In response to GioGonza

‎05-09-2018 08:50 AM

I think the problem is that ASA-Europe is behind nat. So, ASA does not see the original source IP. for ASA-Europe it all looks like it comes from 10.0.0.137.

Since all ESP packets are coming from 10.0.0.137 port 4500. ASA does not know to which tunnel group it belongs to.

 

Maybe the solution would be to use IPsec over TCP. I have to find out how to configure it.

Preview file
10 KB
0 Helpful
Customers Also Viewed These Support Documents