No announcement yet.

ASA issue transferring traffic between IPSEC encryption domains using NAT - please he

  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA issue transferring traffic between IPSEC encryption domains using NAT - please he

    I have been fighting this for longer than I would want to admit. So any help would be greatly appreciated

    Basically we need to connect a client via IPSEC to an ASA 5510 in Brazil and then using the same 5510 send that traffic source and destination NAT'd over another IPSEC tunnel that connects back to our data center in the US where the service the client needs is located.

    Why don't we just connect directly from the client device to the US you ask? Good question, and it involves the typical politics and sales promises.

    I have attached a sanitized diagram of what we are trying to accomplish with the relevant configlets.

    The IPSEC tunnel from the client to the ASA 5510 in Brazil is up. The IPSEC tunnel to between Brazil and US has not come up because I do not think the interesting traffic is making it there. The best I can tell is that NATing does not work how I would expect when all the traffic stays on the same interface and comes from an IPSEC tunnel.

    I should note that we had no problem with the same setup when we did not have an IPSEC tunnel between the client and 5510. We were able source and destination NAT outside to outside and send the new translated IP's through the Brazil-US tunnel.

    Thank you in advance for any help!
    Attached Files

  • #2
    Re: ASA issue transferring traffic between IPSEC encryption domains using NAT - pleas

    You appear to be on the right track. You have the intra-interface and static outside to outside commands set. These two commands would definately be needed to handle vpn traffic arriving (decrypted) and leaving (encrypted) on the same interface (outside).

    When you view the SA (show crypto ipsec sa) for the tunnel from the client to brazil, are the source and desination correct -and- are the encryption/decryption counters incrementing as you expect? Usually when I see one of the SA counters incrementing and the other is not, its usually a NAT/NONAT configuration issue.

    How about the crypto-map match address ACL's for the encryption domains. Do they match the source/destination after being NAT'd? How about at the other end of the tunnels?

    Does the command "show xlate" match your NAT configuration?

    How about the route statements? Do you have a summarized 10/8 route pointing to the inside interface? If so, you would need a route statement for the address pointing to the outside interface. Otherwise the decrypted traffic would be routed to inside interface instead of the outside interface which would bring up the other tunnel.

    Sorry, thats all I can think of.