Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Problem over Ipsec. Virtual IP on LAN interface

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 852 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Thompha
      last edited by

      Hello,

      I've been struggling with a NAT problem with a IPsec tunnel to a Cisco ASA firewall.

      On my end I got a Pfsense 2.2.4 Firewall. On the other end the customer got a Cisco ASA.
      The subnet on my end is 192.168.20.0/24 and on the customers end 64.x.x.x/32

      One of the problems we had was that the internal subnet on my end (192.168.20.0/24) was already used by the customer for an other Ipsec tunnel.
      The idea was then to create a virtual IP on my side that they could use instead.
      I created an IP alias on the LAN interface (10.25.250.100/32)

      When using that IP alias as the local subnet in the Phase 2 Ipsec settings the tunnel works, but we cant get any traffic from the 192.168.20.0/24 subnet to 64.x.x.x/32.

      I can ping the 10.25.250.100 adress from 192.168.20.0/24 net without any problem. I also created a firewall rule to allow all traffic from the IPsec interface to 192.168.20.0/24.

      I also created a outbound NAT rule that looks like this.

      Interface: Lan
      Source: 192.168.20.0/24
      Source Port: *
      Destination: 64.x.x.x/32
      Destination Port: *
      Nat adress: 10.25.250.100
      Nat Port: *
      Static Port: No

      Still no luck.
      Not sure if im thinking correctly here. Open to suggestions how to make this work.

      /Thomas

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.