Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5505 site to site VPN problem

Status
Not open for further replies.

wrighbr1

MIS
Aug 11, 2015
5
US
(Somewhat of a novice on ASA Firewalls) I've setup many VPNs using ASDM on the ASA 5505, but all of those, the endpoints of the tunnels were internal IPs or ranges of IPs on both ends. Now, a company we are trying to setup a VPN tunnel with will not connect to internal private IPs. They gave me a static public IP for us to use as the endpoint of our side. Then for us to NAT our internal IP for traffic on port 2004 to this public IP. I set it all up the best I knew how but I cannot get the VPN to pass traffic. I used the VPN Wizard in the ASA to create the tunnel. I entered their peer IP and local IP (along with the security settings for phase one and two), entered my local IP (which was the public IP I was given). Finished the wizard and the tunnel is created. I then put in a static NAT rule as follows: Original - Interface:inside source - (172.16.x.x), Translated - Interface:eek:utside source - (161.2xx.xxx.xxx){this is the public IP I was given} PAT - enable PAT is checked. Protocol TCP original port: 2004 Translated port: 2004

If I go to Monitoring in the ASA and view that tunnel, it comes up and successfully negotiates Phase One when I get them to try a ping. And in Monitoring, it shows Phase two and I can see the ping packets as it shows packets RX. But it shows 0 for packetsTX. ICMP is anable and they can ping my peer IP but not the public IP they assigned me. I'm assuming I have it correctly setup, so when they ping the public IP address that I have NAT'ed to my internal ip address, then those packets should be routed from that IP address down to my internal one and the the internal replies. Somewhere in that process I have missed something or I don't completely understand the whole NAT thing.

Any help would be greatly appreciated. The simple problem is a Site to Site VPN where my endpoint is a public IP that needs to be NAT to an internal IP for traffic.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top