Hello
i need help with my setup
ER
outside: 172.16.0.2 - nat device (172.16.0.1) - INTERNET - ASA 123.123.123.123:outside inside: 192.168.0.0/24 10.0.0.0/24:inside
I have created a ipsec tunnel from ER:inside to ASA:inside, and it works fine.
now i need a tunnel from ER:inside to ASA
utside (i want to access from asa portal one application inside ER-Network, and ASA uses outside interface to communicate with it)
if i create a tunnel von ER:inside to ASAutside, ipsec setup new route to 123.123.123.123 over ipsec interface, so that ipsec broke up
here my configuration
ipsec { auto-firewall-nat-exclude disable esp-group FOO0 { proposal 1 { encryption 3des hash sha1 } } esp-group FOO1 { proposal 1 { encryption 3des hash sha1 } } ike-group FOO0 { proposal 1 { dh-group 2 encryption 3des hash sha1 } } ike-group FOO1 { proposal 1 { dh-group 2 encryption 3des hash sha1 } } ipsec-interfaces { interface eth0 } nat-networks { allowed-network 0.0.0.0/0 { } } nat-traversal enable site-to-site { peer 123.123.123.123 { authentication { mode pre-shared-secret pre-shared-secret top-secret } connection-type initiate description "Cisco ASA" ike-group FOO0 local-address 172.16.0.2 tunnel 1 { esp-group FOO0 local { prefix 192.168.0.0/24 } remote { prefix 10.0.0.0/24 } } }
root@edgemax# show service nat
rule 5000 {
destination {
group {
network-group REMOTE_SUBNETS (=10.0.0.0/24)
}
}
exclude
outbound-interface eth0
outside-address {
address 172.16.0.2
}
source {
group {
network-group LOCAL_SUBNETS (=192.168.0.0/24)
}
}
type source
}After setup new Tunnel with ASA outside interface i got this error in syslog
tunnel 2 {
esp-group FOO0
local {
prefix 192.168.0.0/24
}
remote {
prefix 123.123.123.123/29
}
}Jun 29 12:58:21 edgemax pluto[29120]: ERROR: asynchronous network error report on eth0 for message to 123.123.123.123 port 4500, complainant 172.16.0.2: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]