Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hi Mark,

It sounds like your ASA isn’t configured correctly for NAT. It should be configured to translate all traffic from the 192.168.2.0/24 subnet that exits the outside interface UNLESS the destination is 192.168.39.0/24 (the other end of the VPN).

You can use this example for PAT:

Cisco ASA PAT configuration

The only thing left to do is to create an exception for your VPN traffic, like this:

object network LOCAL_SUBNET
 subnet 192.168.2.0 255.255.255.0

 object network REMOTE_SUBNET
 subnet 192.168.39.0 255.255.255.0

nat (LOCAL_SUBNET,OUTSIDE) source static LOCAL_SUBNET LOCAL_SUBNET destination static REMOTE_SUBNET REMOTE_SUBNET

This tells the ASA not to translate traffic from the local to the remote subnet.

If you are also doing NAT on R2 then you’ll need to add a deny statement in the access-list that you use for NAT that matches traffic between 192.168.39.0/24 and 192.168.2.0/24.

Hope this helps!

Rene

1 Like