Cisco Support Community
Community Member

ASA issue transferring traffic between IPSEC encryption domains using NAT - please help!

I have been fighting this for longer than I would want to admit.  So any help would be greatly appreciated

Basically we need to connect a client via IPSEC to an ASA 5510 in Brazil and then using the same 5510 send that traffic source and destination NAT'd over another IPSEC tunnel that connects back to our data center in the US where the service the client needs is located.

Why don't we just connect directly from the client device to the US you ask?  Good question, and it involves the typical politics and sales promises.

I have attached a sanitized diagram of what we are trying to accomplish with the relevant configlets.

The IPSEC tunnel from the client to the ASA 5510 in Brazil is up.  The IPSEC tunnel to between Brazil and US has not come up because I do not think the interesting traffic is making it there.  The best I can tell is that NATing does not work how I would expect when all the traffic stays on the same interface and comes from an IPSEC tunnel.

I should note that we had no problem with the same setup when we did not have an IPSEC tunnel between the client and 5510.  We were able source and destination NAT outside to outside and send the new translated IP's through the Brazil-US tunnel.

Thank you in advance for any help!


ASA issue transferring traffic between IPSEC encryption domains

Post your "no-nat" config for the IPSEC tunnels, you are most likely double natting the traffic, that is why the second tunnel is not created.

CreatePlease to create content