I am trying to get an ASA running v7 OS working as an easy vpn server behind NAT in the following scenario:
ASA(EZVPN_Server)-----Gateway----Internet-----Gateway-----Router(EZVPN_Client in NEM mode)
There is a static nat entry on the gateway connected to the ASA so all traffic is forwarded from a public address to a private one configured on the firewall. When I connect the ASA directly to the Internet with a public address, it all works fine. However, when it is behind NAT, it gets stuck and cannot negotiate IPSec SAs. I can see on the ezvpn client that an isakmp sa is successfully established (QM_IDLE). However, no SAs can be created. Here's the relevant config on the ASA:
First I'm a little bit confused, that you apply the crypto map to the inside interface but I assume that there is a reason.
If so, where is the "inside network" of the VPN server which communicates with the "inside network" of EZVPN client? I understand it runs in network extension mode.
verify the ipsec sa with
sh crypto ipsec sa
the (QM_IDLE) is a hint that phase 2 has completed
If in doubt do a debug crypto ipsec on the responder if the system is not loaded heavily, that should give you confidence whether SA can or can't be established and give you a reason if IPsec SAs are rejected.
Are you positive, that IPsec SAs are not established?
There is only one interface that is used on the ASA and that is why I configured its name as inside. The ipsec SAs are definitely not established and I checked the sh crypto ipsec sa many times. The debugs give me some messages about retransmissions happening and that usually is a hint that these packets (udp 4500) get dropped somewhere. I will do some more troubleshooting today and post some debugs.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...