As long as the ASA's outside interface IP address is NAT'ed to a routeable IP address, I can't see any way that the remote device would see the internal NAT IP. Are you using static NAT or some type of policy or dynamic NAT?
Right, the ISAKMP Identity address will be the ASA's private IP address...which shouldn't be a problem. The remote device is going to generate it's peer reference hash value using the identity address that was sent by your device. The remote device should do a pre-shared key lookup based on the public IP address in the ISAKMP header. What kind of device is being used on the remote end?
Things to check:
1.) Is the remote device using ISAKMP identity addresses?
2.) Is the remote device configured to peer with the public IP of the ASA (as it should be)?
would like to continue this thread again, wish I could do this earlier but was on annual leave.
Thanks Patrick for clarifying my concern, good to hear that it's not a topology issue.
The remote end is a freeswan/openswan running on a Linux box. The peering IP address is definitely correct (public IP of ASA NAT-ed by the 3825 router infront) and the isakmp identity address is also set to be this same IP (probably the issue here?).
Attached is the isakmp debug output from my end (initiating end). 126.96.36.199 is the remote end, 192.168.1.7 is the ASA's outside interface ip before being NAT-ed.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :