Using a Public IP as a remote IPSec Subnet XG v18

I have been racking my brain thinking of how to make this work. What would you do in this scenario? How would you make this work?

I'm trying to setup an IPsec tunnel for a client. We have a pretty simple setup on our end but the vendor, not so much. I can receive ICMP from the vendors remote subnet(which is a public IP) but it doesn't make it to the internal host. I think this is because its Public IP.

 

on our end we have 108.x.x.x as the listening interface and 172.x.x.x/32 as the internal host 

 

On the vendors end(Cisco ASA) they have 204.x.x.x GW Address and 205.x.x.x Remote subnet that they are NATing to a 10.x.x.x/32 address. 

 

so in the Tunnel General Settings (I have this setup as a site to site)

Local gateway:

Listening interface = Port1 - 108.x.x.x

Local ID type = IP address 

Local ID = 108.x.x.x

Local Subnet = 172.x.x.x/32

 

Remote gateway:

Gateway Address = Port1 - 204.x.x.x

Remote ID type = IP address 

Remote ID = 204.x.x.x

Remote Subnet = 205.x.x.x/32

 

Many Thanks for your time...

 

  • Hi,

    have you created a firewall rule to allow the traffic into the local network?

    Ian

  • In reply to rfcat_vk:

    Yes, for testing I have any/any allowed without restrictions. 

  • In reply to Anthony Anderson:

    Hi Anthony,

    what traffic does log viewer show for that firewall rule?

    Ian

  • In reply to rfcat_vk:

    I see a bunch of allowed traffic from the current vendor being passed, it's source is a private IP. This is the old vendor we're replacing but it proves the current IPSec config and policy work. 

    When using the packet sniffer I see a bunch of ICMP request traffic from the 205.x.x.x address enter from the tunnel interface with dst 172.x.x.250(the server) but that's where it dies.
     
    For the new vendor, I'm thinking I need a way to NAT the remote 205.x.x.x public IP to a private IP that can be routed internally but how? 

    I'm dealing with 3 IP's on this tunnel just from the vendor's side. 

    204.x.x.x (Gateway handles phase1)

    205.x.x.x(remote subnet handles phase2)

    10.x.x.x(is what 205.x.x.x NATs to)

     

    but all I see is traffic from 205.x.x.x entering my VPN interface. I can't route that to my 172.x.x.250 on prem server