I have to create an L2L tunnel and PAT the internal network 10.x.x.x to a single address 172.19.1.14 to access a remote site which has a subnet 10.38.49.0/25. The PAT address is dictated by the user at the remote end.
The following are bits from the ASA configuration
access-list in_inside line 1 extended permit ip 10.0.0.0 255.0.0.0 10.38.49.0 255.255.255.128 (hitcnt=43)
access-list CONDITIONAL_NAT; 1 elements
access-list CONDITIONAL_NAT line 1 extended permit ip 10.0.0.0 255.0.0.0 10.38.49.0 255.255.255.128 (hitcnt=0)
access-list 106 line 1 extended permit tcp host 172.19.1.14 10.38.49.0 255.255.255.128 (hitcnt=0)
access-list 106 line 2 extended permit udp host 172.19.1.14 10.38.49.0 255.255.255.128 (hitcnt=0)
crypto map YYY-Crypto-Map 30 match address 106
crypto map YYY-Crypto-Map 30 set pfs group5
crypto map YYY-Crypto-Map 30 set peer x.x.x.x
crypto map YYY-Crypto-Map 30 set transform-set tertiary
crypto map YYY-Crypto-Map 100 ipsec-isakmp dynamic YYY-Dynamic-Map
crypto map YYY-Crypto-Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 30
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
nat (Inside) 99 access-list CONDITIONAL_NAT
global (Outside) 99 172.19.1.14
I can see traffic for 10.38.49.109 arriving at the firewall - look at the hit count on the ACL, but thats as far as it goes. If I traceroute the 10.38.49.109 address the traffic goes via the outside interface of the firewall, but icmp is blocked at the far end and cannot be enabled.. The 1st phase show cry is sa tells me that phase is not completing and I am assured the far end configuration for the tunnel matches with my end. I did manage to establish conenctivity by hard coding a PC with 172.19.1.14 and could conenct, te tunnel came up etc However i am at a loss as to how to get this to work in the way I need it to.
Could be the configuration i am trying does not work, but it is based on an example from this site, which does give me some confidence.
Any help and advice appreciated. Thanks