IPSec and NAT on an ASA

Unanswered Question
Feb 9th, 2009

I have been trying real hard to figure this out but now I am wondering if it is possible at all. We have a customer who wants to setup an IPSec vpn tunnel with them to securely transfer files. The configuration is below



| CheckPoint

FW (Tunnel endpoint)




ASA (Tunnel endpoint)-----Server (Private IP)

The tunnel is created fine but I can't pass any traffic to them and my

suspicion is that it is due to NAT. We are NATing the private IP from

our server to a public IP (static NAT) , but the customer only will

allow public IPs for our encryption domain, not the private IP that is

actually in use. At the heart of this I believe this to be a routing

problem (the customer's server doesn't know how to get back to our

network and/or if it does come back, it isn't getting back to the

correct private IP. I have tried exempting this traffic from NAT policies but can't seem to get any farther in having traffic flow.

So my basic question here is: is this possible to do with this

setup through the ASA and if so how?

Thanks for your input,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


Sounds to me like a classic case of policy based NAT for your IPSEC tunnel. As you pointed out, can be tricky and both sides need to understand what they need to do.

What you want to do - from the point of the ASA is possible, and from the Checkpoint side also. Happy to help with the config of the ASA, post it and lets see where we can improve it.


liv2bldcisco Wed, 02/11/2009 - 10:58

I found this documentation on Cisco's site


products_configuration_example09186a00808c9950.shtml) which best

depicts my situation and found out that I indeed was configuring it

like this already but it still doesn't work. As I have some example to

go by, I have contacted the other company in an effort to try and see

if they can see any traffic trying to go across the tunnel. Having so many different variables and not being in control of

the other side of the tunnel is making me a bit crazy. The other

company gave me an IP to ftp to through the tunnel for test, but I am

now even questioning if that is right, as that too would explain why

the traffic isn't going across.



cisco24x7 Wed, 02/11/2009 - 12:11

I am familiar with both Checkpoint and ASA.

Can you repost your ASA configuration so

that I may be able to help you.

The configuration on the Checkpoint side

is very straight forward. The checkpoint

only needs to know the Public IP addresses

of the NAT'ed private network on your end

so that when it creates an Interoperable

Device, it includes that in the remote

encryption domain. Post your config and

I may be able to help you.

cisco24x7 Wed, 02/11/2009 - 18:28

Looking at your configuration, I am assuming this:

1- access-list policy-nat extended permit ip host

static (delta,outside) access-list policy-nat

access-list outside_cryptomap_20 extended permit ip host

access-list outside_cryptomap_20 extended permit tcp host

access-list outside_cryptomap_20 extended permit udp host

access-list outside_cryptomap_20 extended permit icmp host

2- the network behind the CP side is,

3- VPN traffics will be from host going to

Here is the solution:

1- on the Checkpoint side, the local encryption domain will be This network will go under the Checkpoint,

2- create an Interoperable device for the

ASA, and put host in the ASA

encryption domain,

3- create a VPN community, make sure you

disable NAT inside VPN community. This

is important because the CP knows nothing

about NAT on your end. CP only knows

about the host network,

4- run tcpdump and "debug vpn ikeon" and

look at the debug information.

Your configuration looks ok.

liv2bldcisco Thu, 02/12/2009 - 06:42

Thanks a bunch for looking this over and sharing your knowledge with regard to the checkpoint cfg. You are correct in all your assumptions from my ASA cfg.I know for a fact that they set the encryption domain on the checkpoint side to Could this be where the problem comes from since the tunnel endpoint is listed as being a part of the encryption domain on the checkpoint?



cisco24x7 Thu, 02/12/2009 - 07:04

Please only put host under

Checkpoint local encryption domain. You

must NOT put the whole /24 under the

Checkpoint local encryption domain. That

explained why you has the issue, IMHO.

Furthermore, please select "exchange key

per hosts" under the CP VPN community,

if you use VPN simplified mode.

Let me know if you still have issues.

liv2bldcisco Thu, 02/12/2009 - 09:10

Thanks again for your insight. I have made the request to have the encryption domain changed but that will most likely take a couple days before they get it done. I will post back the result.



liv2bldcisco Thu, 02/19/2009 - 09:09

They finally made the change to the encryption domain to the one ip address and I can successfully pass traffic through. Thanks again for all the help.




This Discussion