NAT Problem over Ipsec. Virtual IP on LAN interface
Thompha last edited by
I've been struggling with a NAT problem with a IPsec tunnel to a Cisco ASA firewall.
On my end I got a Pfsense 2.2.4 Firewall. On the other end the customer got a Cisco ASA.
The subnet on my end is 192.168.20.0/24 and on the customers end 64.x.x.x/32
One of the problems we had was that the internal subnet on my end (192.168.20.0/24) was already used by the customer for an other Ipsec tunnel.
The idea was then to create a virtual IP on my side that they could use instead.
I created an IP alias on the LAN interface (10.25.250.100/32)
When using that IP alias as the local subnet in the Phase 2 Ipsec settings the tunnel works, but we cant get any traffic from the 192.168.20.0/24 subnet to 64.x.x.x/32.
I can ping the 10.25.250.100 adress from 192.168.20.0/24 net without any problem. I also created a firewall rule to allow all traffic from the IPsec interface to 192.168.20.0/24.
I also created a outbound NAT rule that looks like this.
Source Port: *
Destination Port: *
Nat adress: 10.25.250.100
Nat Port: *
Static Port: No
Still no luck.
Not sure if im thinking correctly here. Open to suggestions how to make this work.