AnsweredAssumed Answered

Problem with IPSEC tunnel and source NAT

Question asked by SRE Tuenti on Feb 1, 2018
Latest reply on Feb 5, 2018 by SRE Tuenti

Hello

We have a problem with an appliance running R77.40, IPSEC and source NAT.

Scenario:

- A Star IPSEC VPN with two Gateways (let's call our site Alice and the opposite side Bob)

- Our (Alice) R77.30 with public IP, oposite side (Bob) Cisco ASA with public IP, so no NAT-T. Let's say 8.8.8.8 Alice and 4.4.4.4 the Bob.

- both sites have internal private IPs. Let's say 10.10.10.0/24 in Alice and 192.168.1.0/24 in the Bob.

To avoid overlaping problems in the future we agreed in using a small range of public IP in each side with NAT. Let's say 192.0.2.0/28 in Alice and 13.13.13.0/28 in the Bob, so we need to apply NAT

- Both public ranges and Alice IP range are included in the encryption domains

 

Traffic from the opposite side to one of our hosts success:

- I (Alice) have a Policy: Source: Bob_enc_domain (their publi) Destination: (Alice encryption domain, public and private IPs), VPN: the Community Service: Any Action: accept

- And the NAT: Original source: Public IP 1 of Bob, Original destination: Public IP 1 of Alice. Service 443. Translated source: internal IP of Alice FW (CheckPoint), Translated destination: internal private IP of Alice. service: original

 

BUT (This is the problem):

Traffic form Alice side to Bob doesn't work.

I tried many scenarios. The current one:

- Traffic originated from Alice internal machine, Source IP, internal (included in Alice encryption domain), Destination IP, Bob public IP (included in Bob encryption domain)

- Firewall rules (tried many): source: Alice internal private IP, destination: Bob Encription domain, VPN: Community. sevice any.

- NAT rules (33): Original source: Alice internal private IP, Original destination: Bob public IP, Service 10001 Translated source: Public IP 1 of Alice Translated destination: Original translated service:Original

 

This fails with an error: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information

 

In the same dialog I see:

NAT Rule number: 33

NAT additional Rule... 1

But no Xlated address appear.

 

Acording to what I've read, this should work, but it don't.

 

Can anybody give me some hints?

Outcomes