I have reviewed the very similar questions to mine, but my scenario seems different.
ASA Version 9.7(1)4
I had a VPN site-to-site ikev1 connection from a remote network in AWS to a remote network in customer side. Im binding both sides with an ASA 5508 (customer does not want to VPN directly with AWS). VPN was working fine, but now the customer asks me to change to ikev2 and NAT the AWS network to a given subnet.
So I have:
Changed the ikev1 to ikev2 conf
Created a Network object with the given NAT range (Custom-NAT)
Created a NAT rule
nat (outside,outside) source dynamic AWS_network Custom-NAT destination static Customer Customer
Modified the ACL for this cryptomap access-list outside_cryptomap extended permit ip object Custom-NAT object Customer
Applied changes. The tunnel came up phase 1 phase 2, but there is no traffic at all.
From logs:
"Built inbound TCP connection" followed by "teardown TCP connection SYN Timeout" I can see in these logs that the source IP is the original one (it has not been NATted) The syslog id is 302014 which from documentation: Force termination after 30 seconds, awaiting three-way handshake completion."
So, I understand I cannot open the TCP socket because the NAT has not taken place yet.
What am I missing?
Any help on this would be very much appreciatted,
Elena
