I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.
Are you doing static-nat for soure-vpn peer address? This static-nat can be natted to same address or to different address as long as the remote-vpn peer reconize your soure-vpn peer address is being reachable.
The third party firewall that is behind the ASA is being NATed to the same public IP address as everything else behind the ASA. The remote vpn device has been configured to expect the public IP and respond to the public IP but the response traffic is dropped at the ASA and never makes it back to the firewall behind the ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...