I've the following Setup:
Customer <-> HQ <-> Branchoffice
- The Customer has a 192.168.1.0/24 subnet.
- On the HQ only the VPN Gateway is in my context, 172.20.10.1 .
- And on the Branchoffice side the network 172.30.0.0/16 is present.
Between the HQ <-> Customer, and Branchoffice <-> HQ are IPSec tunnels (Tunnel Mode).
- The HQ <-> Customer Tunnel has 192.168.90.0/30 as source and 192.168.1.0/24 as destination network configured.
- The Branchoffice <-> HQ Tunnel has 172.30.0.0/16 as source and 192.168.1.0/24, 172.20.0.0/16 as destnation.
The reason why i'm using 192.168.90.0/30 as source is that we NAT/PAT every connection through 192.168.90.1 to hide our internal structure to our customer. So i've a NAT rule configured as:
- src interface isp
- dst interface isp
- dst ip 192.168.1.0/24
- pat over 192.168.90.1 / isp interface
that works fine for our roadwarrior vpn (IPSec / L2TP) on the HQ ASA but not for the branchoffice tunnel. The asa is searching for a cryptomap that matches 172.30.30.10 as src and 192.168.1.12 as dst - which can - as expected - not be found. How can i change that routing pakets over PAT from our branchoffice to our customer works?
Additional Info: ASA Software Version 8.2(4) HQ / 8.2(5) branchoffice