Scheduled maintenance on Saturday, August 8th from 7am to 10am (UTC). Licensing registrations and key activations will be unavailable during this period. More info here.
We'd love to hear about it! Click here to go to the product suggestion community
I have been racking my brain thinking of how to make this work. What would you do in this scenario? How would you make this work?
I'm trying to setup an IPsec tunnel for a client. We have a pretty simple setup on our end but the vendor, not so much. I can receive ICMP from the vendors remote subnet(which is a public IP) but it doesn't make it to the internal host. I think this is because its Public IP.
on our end we have 108.x.x.x as the listening interface and 172.x.x.x/32 as the internal host
On the vendors end(Cisco ASA) they have 204.x.x.x GW Address and 205.x.x.x Remote subnet that they are NATing to a 10.x.x.x/32 address.
so in the Tunnel General Settings (I have this setup as a site to site)
Listening interface = Port1 - 108.x.x.x
Local ID type = IP address
Local ID = 108.x.x.x
Local Subnet = 172.x.x.x/32
Gateway Address = Port1 - 204.x.x.x
Remote ID type = IP address
Remote ID = 204.x.x.x
Remote Subnet = 205.x.x.x/32
Many Thanks for your time...
have you created a firewall rule to allow the traffic into the local network?
In reply to rfcat_vk:
Yes, for testing I have any/any allowed without restrictions.
In reply to Anthony Anderson:
what traffic does log viewer show for that firewall rule?
I see a bunch of allowed traffic from the current vendor being passed, it's source is a private IP. This is the old vendor we're replacing but it proves the current IPSec config and policy work.
I'm dealing with 3 IP's on this tunnel just from the vendor's side.
204.x.x.x (Gateway handles phase1)
205.x.x.x(remote subnet handles phase2)
10.x.x.x(is what 205.x.x.x NATs to)
but all I see is traffic from 205.x.x.x entering my VPN interface. I can't route that to my 172.x.x.250 on prem server