We have a problem with an appliance running R77.40, IPSEC and source NAT.
- A Star IPSEC VPN with two Gateways (let's call our site Alice and the opposite side Bob)
- Our (Alice) R77.30 with public IP, oposite side (Bob) Cisco ASA with public IP, so no NAT-T. Let's say 220.127.116.11 Alice and 18.104.22.168 the Bob.
- both sites have internal private IPs. Let's say 10.10.10.0/24 in Alice and 192.168.1.0/24 in the Bob.
To avoid overlaping problems in the future we agreed in using a small range of public IP in each side with NAT. Let's say 192.0.2.0/28 in Alice and 22.214.171.124/28 in the Bob, so we need to apply NAT
- Both public ranges and Alice IP range are included in the encryption domains
Traffic from the opposite side to one of our hosts success:
- I (Alice) have a Policy: Source: Bob_enc_domain (their publi) Destination: (Alice encryption domain, public and private IPs), VPN: the Community Service: Any Action: accept
- And the NAT: Original source: Public IP 1 of Bob, Original destination: Public IP 1 of Alice. Service 443. Translated source: internal IP of Alice FW (CheckPoint), Translated destination: internal private IP of Alice. service: original
BUT (This is the problem):
Traffic form Alice side to Bob doesn't work.
I tried many scenarios. The current one:
- Traffic originated from Alice internal machine, Source IP, internal (included in Alice encryption domain), Destination IP, Bob public IP (included in Bob encryption domain)
- Firewall rules (tried many): source: Alice internal private IP, destination: Bob Encription domain, VPN: Community. sevice any.
- NAT rules (33): Original source: Alice internal private IP, Original destination: Bob public IP, Service 10001 Translated source: Public IP 1 of Alice Translated destination: Original translated service:Original
This fails with an error: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information
In the same dialog I see:
NAT Rule number: 33
NAT additional Rule... 1
But no Xlated address appear.
Acording to what I've read, this should work, but it don't.
Can anybody give me some hints?