I am just testing out different scenarios in lab to understand why certain things won't work
Here's how my lab is setup
172.19.22.50 (natted to 1.1.1.1)--------SRX----------IPSEC tunnel---------ASA-----172.16.130.1
When I try to set up src-nat for policy based vpn (other end is ASA); and use private/real IPs in the policies on SRX the tunnel does come up but won't pass any traffic and ASA will throw following errors
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x4AB132C2, sequence number= 0x146) from 10.102.100.115 (user= 10.102.100.115) to 10.102.101.102.
The decapsulated inner packet doesn't match the negotiated policy in the SA.
The packet specifies its destination as 172.16.130.1, its source as 1.1.1.1, and its protocol as icmp.
The SA specifies its local proxy as 172.16.130.1/255.255.255.255/ip/0 and its remote_proxy as 172.19.22.50/255.255.255.255/ip/0.
%ASA-3-313001: Denied ICMP type=8, code=0 from 1.1.1.1 on interface outside
%ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00
I understand what's happening above since 172.19.22.50 is a real server behind srx ceing src-natted to 1.1.1.1 and 172.16.130.1 is behind ASA
In the policies on SRX, they are setup to be from 172.19.22.50 to 172.16.130.1 so I understand that it's grabbing proxy IDs from the policies and hence the o/p above is as expected.
Now on SRX if I change policies and replace 172.19.22.50 (server behind SRX) with 1.1.1.1 (It's natted IP) then policy from trust to untrust will never be hit since src-nat will happen after policy look up andthust trust to untrust policy allowing traffic from 1.1.1.1 to 172.16.130.1 will never be hit and tunnel won't ever come up. That's what the lab is showing me.
Does the above scenario seem correct to you guys? Do you think it implies taht we can never use src-nat with policy based vpn when other end is non SRX?
Have you ever gotten policy based with non srx peer working?
Sorry for such a long post and I know this scenario would be much easier done via route based vpn but I really want to get to the root of this. Thanks!