PfSense to Cisco ASA VPN NAT Not Working
-
Greetings,
I searched the forums for a similar problem and haven't found one I understand.
The gist:
We have a client with a Cisco ASA and we have a pfSense router with firmware version 2.1.2. I have the Phase 1 tunnel setup and connected. The Phase 2 with NAT seems to be the problem.
The client uses the same subnet we do internally (192.168.22.0) and requested that I NAT 192.168.125.41 > 192.168.22.41 – our internal server; the server I'm trying to communicate with on the Cisco ASA side is 192.168.3.2.
So, Phase 1 works and the tunnel is up.
Local IP: 192.168.22.41
Remote IP 192.168.3.2Suggested NAT: 192.168.125.41 > 192.168.22.41
The client says that they can see packets leave their side, but they're not returned.
IPsec: SPD
Source Destination Direction Protocol Tunnel endpoints
192.168.3.2 192.168.125.41 ESP X.X.X.X -> X.X.X.X
192.168.22.41 192.168.3.2 ESP X.X.X.X -> X.X.X.X
192.168.22.0/24 192.168.3.2 ESP X.X.X.X -> X.X.X.XI greatly appreciate any assistance with this problem.
I can't seem to attach screenshots without the post failing.
-
For some reason the IP address I used initially wouldn't connect to the remote side. I changed the IP and we now have a working tunnel, except that the remote side cannot ping nor communicate with mine via NAT. I can ping and talk to their side, but not them to mine.
I have IPsec firewall rules that allow everything just to eliminate that part.
IPv4 TCP/UDP * * * * * none
IPv4 ICMP * * * * * noneI have an IPsec NAT:
IPsec X.X.X.X 192.168.125.193 192.168.22.193
For Phase 2 I have:
Local Network: LAN Subnet
NAT/BINAT: Address 192.168.125.193
Remote Network: 192.168.3.14The remote side has a subnet on their LAN the same as our 192.168.22.0/24 so we need to NAT 192.168.125.0.
Is there something really obvious I'm missing? I feel dumb and frustrated.