NAT Problem over Ipsec. Virtual IP on LAN interface



  • Hello,

    I've been struggling with a NAT problem with a IPsec tunnel to a Cisco ASA firewall.

    On my end I got a Pfsense 2.2.4 Firewall. On the other end the customer got a Cisco ASA.
    The subnet on my end is 192.168.20.0/24 and on the customers end 64.x.x.x/32

    One of the problems we had was that the internal subnet on my end (192.168.20.0/24) was already used by the customer for an other Ipsec tunnel.
    The idea was then to create a virtual IP on my side that they could use instead.
    I created an IP alias on the LAN interface (10.25.250.100/32)

    When using that IP alias as the local subnet in the Phase 2 Ipsec settings the tunnel works, but we cant get any traffic from the 192.168.20.0/24 subnet to 64.x.x.x/32.

    I can ping the 10.25.250.100 adress from 192.168.20.0/24 net without any problem. I also created a firewall rule to allow all traffic from the IPsec interface to 192.168.20.0/24.

    I also created a outbound NAT rule that looks like this.

    Interface: Lan
    Source: 192.168.20.0/24
    Source Port: *
    Destination: 64.x.x.x/32
    Destination Port: *
    Nat adress: 10.25.250.100
    Nat Port: *
    Static Port: No

    Still no luck.
    Not sure if im thinking correctly here. Open to suggestions how to make this work.

    /Thomas


Log in to reply