I have been trying real hard to figure this out but now I am wondering if it is possible at all. We have a customer who wants to setup an IPSec vpn tunnel with them to securely transfer files. The configuration is below
Customer's server | CheckPoint FW (Tunnel endpoint) | Internet | Server in DMZ (Private IP)------------------------------ ASA (Tunnel endpoint)
The tunnel is created fine but I can't pass any traffic to them and my suspicion is that it is due to NAT. We are NATing the private IP from our server to a public IP (static NAT) , but the customer only will allow public IPs for our encryption domain, not the private IP that is actually in use. At the heart of this I believe this to be a routing problem (the customer's server doesn't know how to get back to our network and/or if it does come back, it isn't getting back to the correct private IP. I know that NAT and IPSec don't mix, but looking at that further that was more for AH types and this is ESP. So my basic question here is: is this possible to do with this setup through the ASA and if so how?
Thanks for your input,
Ted