Cisco ASA 5505: Force NAT before IPsec?

Posted by WuckaChucka on Server Fault See other posts from Server Fault or by WuckaChucka
Published on 2011-01-11T22:23:23Z Indexed on 2011/01/11 22:55 UTC
Read the original article Hit count: 436

Filed under:
|
|

I'm trying to route public-to-public IPs over an IPSec tunnel. However, the src IP is not "interesting" to the Cisco's IPSec engine because it doesn't appear to be getting translated to the outside IP before being evaluated by the Cisco's IPSec engine.

From WEST to EAST, my public-to-public IPSec works fine: I can make a request from 192.168.0.5:any to 200.200.200.200:80 because the Vyatta does the NAT translation before the IPSec tunnel inspects the traffic, so the remote-subnet and local-subnet matches (see below). However from EAST to WEST, I see a deny in my Cisco logging buffer for Deny tcp src inside:192.168.1.5/59195 dst outside:100.100.100.100/80 which leads me to believe that the IPSec engine is not matching the encrypt_acl because the address has not been translated yet.

Any ideas?

WEST (Vyatta):

  • inside: 192.168.0.0/24
  • inside host: 192.168.0.5/24
  • outside: 100.100.100.100
  • IPSec local-subnet: 100.100.100.100/32
  • IPSec remote-subnet: 200.200.200.200/32

EAST (Cisco):

  • inside: 192.168.1.0/24
  • inside host: 192.168.1.5/24 (DNAT'ed on port 80 to outside)
  • outside: 200.200.200.200
  • IPSec local-subnet: 200.200.200.200/32
  • IPSec remote-subnet: 100.100.100.100/32

© Server Fault or respective owner

Related posts about cisco

Related posts about nat