I have a 2611 behind a 2801 that uses private addressing, and is not internet accesable. What I am trying to do, and it works but have an issue, is setup an IPSEC tunnel to the network behind the 2801 over a 1:1 NAT translation, but when I do so, it causes a problem with users connecting to VMAIL desktop which is on a private network. What I would like to do is terminate the VPN onto a Loopback interface and setup the 1:1 to the Loopback. The problem is, traffic will not pass over the loopback. If I take that address and set it as primary on the ethernet and the original IP as secondary, I can pass traffic, but I dont think this is a viable approach as all the voip traffic goes over this interface as well. IT's complicated, but doable. My main question is, can IPSEC from a PIX work on a loopback? If not is there another way to setup nat so the traffic from the 192 network doesnt use nat, but the !:! still works for IPSEC?
I got the tunnel up, but it appears to have one way routing. I also noticed I cannot ping the PIX from the router and viseversa even though ICMP is allowed. It makes it hard to verify it is working when no one is on site and I am doing this remotely from outside both devices. Are there any routes I need to add to either device so the traffic knows where to go?
I was doing that, no luck. Even in the lab when I can ping PC to PC I wasnt able to ping the router/PIX interface. I had them try to connect to the end devices and no luck, so something is missing. The tunnel is up, I see encrypted packets when I do show cry ips sa, but no decrypted packets. It is as though it is only one way traffic.
I attached the crypto information, the 10.0.0.0 information was tested with and without it in there, same results.
The pix side is a 10.100.100.0 network the 2611 side is 192.168.1.0, and there are other subnets in the 192 range as well.
Since this is going through a nat device, I overlooked this one, or I should say completely forgot about it. I also found I needed to enable inside management-access on the pix in order to ping it remotely. It is working now, at least I can ping from the PIX to inside machines on the 2611, the 2611 can ping the PIX, but not the machine behind it, which may be the machine itself.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...