PfSense to Cisco ASA VPN NAT Not Working


  • Greetings,

    I searched the forums for a similar problem and haven't found one I understand.

    The gist:

    We have a client with a Cisco ASA and we have a pfSense router with firmware version 2.1.2. I have the Phase 1 tunnel setup and connected. The Phase 2 with NAT seems to be the problem.

    The client uses the same subnet we do internally (192.168.22.0) and requested that I NAT 192.168.125.41 > 192.168.22.41 – our internal server; the server I'm trying to communicate with on the Cisco ASA side is 192.168.3.2.

    So, Phase 1 works and the tunnel is up.

    Local IP: 192.168.22.41
    Remote IP 192.168.3.2

    Suggested NAT: 192.168.125.41 > 192.168.22.41

    The client says that they can see packets leave their side, but they're not returned.

    IPsec: SPD

    Source Destination Direction Protocol Tunnel endpoints
    192.168.3.2 192.168.125.41 ESP X.X.X.X -> X.X.X.X
    192.168.22.41 192.168.3.2 ESP X.X.X.X -> X.X.X.X
    192.168.22.0/24 192.168.3.2 ESP X.X.X.X -> X.X.X.X

    I greatly appreciate any assistance with this problem.

    I can't seem to attach screenshots without the post failing.


  • For some reason the IP address I used initially wouldn't connect to the remote side. I changed the IP and we now have a working tunnel, except that the remote side cannot ping nor communicate with mine via NAT. I can ping and talk to their side, but not them to mine.

    I have IPsec firewall rules that allow everything just to eliminate that part.

    IPv4 TCP/UDP * * * * * none    
    IPv4 ICMP * * * * * none

    I have an IPsec NAT:

    IPsec X.X.X.X 192.168.125.193 192.168.22.193

    For Phase 2 I have:

    Local Network: LAN Subnet
    NAT/BINAT: Address 192.168.125.193
    Remote Network: 192.168.3.14

    The remote side has a subnet on their LAN the same as our 192.168.22.0/24 so we need to NAT 192.168.125.0.

    Is there something really obvious I'm missing? I feel dumb and frustrated.