ASA IPSec question

I have been trying real hard to figure this out but now I am wondering if it is possible at all. We have a customer who wants to setup an IPSec vpn tunnel with them to securely transfer files. The configuration is below

Customer's server | CheckPoint FW (Tunnel endpoint) | Internet | Server in DMZ (Private IP)------------------------------ ASA (Tunnel endpoint)

The tunnel is created fine but I can't pass any traffic to them and my suspicion is that it is due to NAT. We are NATing the private IP from our server to a public IP (static NAT) , but the customer only will allow public IPs for our encryption domain, not the private IP that is actually in use. At the heart of this I believe this to be a routing problem (the customer's server doesn't know how to get back to our network and/or if it does come back, it isn't getting back to the correct private IP. I know that NAT and IPSec don't mix, but looking at that further that was more for AH types and this is ESP. So my basic question here is: is this possible to do with this setup through the ASA and if so how?

Thanks for your input,

Ted

Reply to
bnews
Loading thread data ...

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Customer's

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0CheckPoint

I think in this case if they will not let a private IP connect to their network then you are stuffed, your server has a private IP address, its has to be nat'd to get over the internet, then nat'd again at the customer end before the tunnel terminates. Maybe there are work arounds, but I would suggest your only option would be a 1- to-1 static nat to another public Ip address if you have one available, (or just put the IP straight onto the device). Google could be your friend for a work around.

Flamer.

Reply to
die.spam

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Customer's

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0CheckPoint

Hi Ted,

When looking at the diagram in my WWW browser it was all skewed. Reading the text I sort of got the impression that you wanted to set up a public to public VPN, if I am mistaken my apologies.

I just wanted to make a point about NAT and IPSEC. Nat happens before encryption when you are sending traffic (& the reverse inbound). There are a number of articles on Cisco.com that explain this. Whatever you are trying to achieve just picture this first. When your traffic is NAT'd your crypto acl's will include the translated address. The remote end would just need a route back to the same address. NAT doesn't have to break the VPN.

Regards

Darren Regards

Darren

Reply to
Darren Green

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Customer's

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0CheckPoint

There is pne thing that I think might be needed here that is not necessarily obvious.

I think that you need a route in your ASA pointing to the "public IP" with the next hop in your DMZ.

e.g. ip route public-IP 255.255.255.255 any-address-in-your-dmz

The any-address-in-your-dmz does not even have to exist. It will never actually be used since the NAT process will do its stuff before the packet gets to the DMZ interface.

I think it is needed though to direct the traffic in the right direction when it comes into the router.

See for example:-

formatting link
nat inside source static 171.68.200.48 172.16.47.150 ip route 171.68.200.0 255.255.255.0 172.16.47.162

The route is *never* used to send traffic since packets entering the router with the dest 171.68.200.48 get the dest changed to 172.16.47.162 but the command is there in the example all the same.

I know that the link refers to IOS and not to PIX/ASA but I have had to do the same thing on Checkpoint too.

I am slightly confused frankly with this but I for sure have had to do something similar from time to time.

Reply to
bod43

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Customer's

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0CheckPoint

Thanks for the ideas. I found this documentation on Cisco's site

formatting link
which best depicts my situation and found out that I indeed was configuring it like this already but it still doesn't work. As I have some example to go by, I have contacted the other company in an effort to try and see if they can see any traffic trying to go across the tunnel. I also did try the extra route command as well but that didn't seem to have any effect. Having so many different variables and not being in control of the other side of the tunnel is making me a bit crazy. The other company gave me an IP to ftp to through the tunnel for test, but I am now even questioning if that is right, as that too would explain why the traffic isn't going across.

Thanks,

Ted

Reply to
bnews

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Customer's

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0CheckPoint

The hyperlink didn't get fully captured right, so if you check out the example on Cisco's site is it called "PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example "

Thanks,

Ted

Reply to
bnews

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.