0

I've the following Setup:

Customer <-> HQ <-> Branchoffice

  • The Customer has a 192.168.1.0/24 subnet.
  • On the HQ only the VPN Gateway is in my context, 172.20.10.1 .
  • And on the Branchoffice side the network 172.30.0.0/16 is present.

Between the HQ <-> Customer, and Branchoffice <-> HQ are IPSec tunnels (Tunnel Mode).

  • The HQ <-> Customer Tunnel has 192.168.90.0/30 as source and 192.168.1.0/24 as destination network configured.
  • The Branchoffice <-> HQ Tunnel has 172.30.0.0/16 as source and 192.168.1.0/24, 172.20.0.0/16 as destnation.

The reason why i'm using 192.168.90.0/30 as source is that we NAT/PAT every connection through 192.168.90.1 to hide our internal structure to our customer. So i've a NAT rule configured as:

  • src interface isp
  • dst interface isp
  • dst ip 192.168.1.0/24
  • pat over 192.168.90.1 / isp interface

that works fine for our roadwarrior vpn (IPSec / L2TP) on the HQ ASA but not for the branchoffice tunnel. The asa is searching for a cryptomap that matches 172.30.30.10 as src and 192.168.1.12 as dst - which can - as expected - not be found. How can i change that routing pakets over PAT from our branchoffice to our customer works?

Additional Info: ASA Software Version 8.2(4) HQ / 8.2(5) branchoffice

user227291
  • 1
  • 1
  • What version of ASA OS are you running? Also, it is practically impossible to answer questions like this without also seeing the config. Can you paste a copy of the config (removing any passwords or sensitive data?) – Peter Grace Jun 20 '14 at 19:52
  • i thought it might be possible to point out a simple logical fail why the ASA skips the NAT table, but i'll add the configs soon, SW version added – user227291 Jun 20 '14 at 20:31

0 Answers0