AnsweredAssumed Answered

Problem with IPSEC tunnel and source NAT

Question asked by SRE Tuenti on Feb 1, 2018
Latest reply on Feb 5, 2018 by SRE Tuenti


We have a problem with an appliance running R77.40, IPSEC and source NAT.


- A Star IPSEC VPN with two Gateways (let's call our site Alice and the opposite side Bob)

- Our (Alice) R77.30 with public IP, oposite side (Bob) Cisco ASA with public IP, so no NAT-T. Let's say Alice and the Bob.

- both sites have internal private IPs. Let's say in Alice and in the Bob.

To avoid overlaping problems in the future we agreed in using a small range of public IP in each side with NAT. Let's say in Alice and in the Bob, so we need to apply NAT

- Both public ranges and Alice IP range are included in the encryption domains


Traffic from the opposite side to one of our hosts success:

- I (Alice) have a Policy: Source: Bob_enc_domain (their publi) Destination: (Alice encryption domain, public and private IPs), VPN: the Community Service: Any Action: accept

- And the NAT: Original source: Public IP 1 of Bob, Original destination: Public IP 1 of Alice. Service 443. Translated source: internal IP of Alice FW (CheckPoint), Translated destination: internal private IP of Alice. service: original


BUT (This is the problem):

Traffic form Alice side to Bob doesn't work.

I tried many scenarios. The current one:

- Traffic originated from Alice internal machine, Source IP, internal (included in Alice encryption domain), Destination IP, Bob public IP (included in Bob encryption domain)

- Firewall rules (tried many): source: Alice internal private IP, destination: Bob Encription domain, VPN: Community. sevice any.

- NAT rules (33): Original source: Alice internal private IP, Original destination: Bob public IP, Service 10001 Translated source: Public IP 1 of Alice Translated destination: Original translated service:Original


This fails with an error: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information


In the same dialog I see:

NAT Rule number: 33

NAT additional Rule... 1

But no Xlated address appear.


Acording to what I've read, this should work, but it don't.


Can anybody give me some hints?