NAT Problem over Ipsec. Virtual IP on LAN interface

  • Hello,

    I've been struggling with a NAT problem with a IPsec tunnel to a Cisco ASA firewall.

    On my end I got a Pfsense 2.2.4 Firewall. On the other end the customer got a Cisco ASA.
    The subnet on my end is and on the customers end 64.x.x.x/32

    One of the problems we had was that the internal subnet on my end ( was already used by the customer for an other Ipsec tunnel.
    The idea was then to create a virtual IP on my side that they could use instead.
    I created an IP alias on the LAN interface (

    When using that IP alias as the local subnet in the Phase 2 Ipsec settings the tunnel works, but we cant get any traffic from the subnet to 64.x.x.x/32.

    I can ping the adress from net without any problem. I also created a firewall rule to allow all traffic from the IPsec interface to

    I also created a outbound NAT rule that looks like this.

    Interface: Lan
    Source Port: *
    Destination: 64.x.x.x/32
    Destination Port: *
    Nat adress:
    Nat Port: *
    Static Port: No

    Still no luck.
    Not sure if im thinking correctly here. Open to suggestions how to make this work.


Log in to reply