I am working on a site-to-site VPN but I can't get it to work properly. My VPN-endpoint is a PIX515 running OS version 6.3(3) (upgrading to 7 is no option because memory is not sufficient) and the other endpoint is a CheckPoint firewall. The company that I have to make the VPN with requires me to use only one IP address as source so all my outgoing traffic has to be NAT'ted to one single address (PAT to IP address 10.1.1.10, see below).
The config looks something like this:
object-group network dest-servers
network-object 172.16.1.10 255.255.255.255
network-object 172.16.1.11 255.255.255.255
network-object 172.16.1.12 255.255.255.255
network-object 172.16.1.13 255.255.255.255
network-object 172.16.1.14 255.255.255.255
access-list 110 permit ip host 10.1.1.10 object-group dest-servers
access-list vpn-nat permit ip 192.168.1.0 255.255.255.0 object-group dest-servers
No when I try to connect from my PC (192.168.1.100) on the inside to one of the destination addresses (for example 172.16.1.10) the tunnel comes up and I see packets going out and returning ('sh ipsec sa'). Also a an xlate is created for my inside address to the PAT address 10.1.1.10 and in the logs I see that the PIX is translating the returning VPN traffic with destination address 10.1.1.10 (with the correct portrange) back to my inside address 192.168.1.100 (log message 'Building outbound connection for ....', the 'Building outbound' worried me but the documentation states that this is because the session was initiated from inside so it should be right).
Now the problem: Return traffic isn't passing the inside interface. So the tunnel is created and looks ok but when I make, for example, a RDP connection it times out because the PIX doesn't send traffic to my PC.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...