ASA to Zscaler IKEv2 Tunnel with NAT-T enabled

This article talks about how to establish IKEv2 tunnel from ASA to Zscaler using Ikev2. When NAT is in place ASA starts sending its ike-id as private IP address which Zscaler cannot understand. ASA doesn’t have an option to set IKE-ID as FQDN, setting up IKE-ID as key-id doesn’t work with Zscaler because Zscaler doesn’t identify key-id as FQDN.

To solve this problem we can create VPN credentials using the private IP address of the ASA

In the screenshot above is the private IP address of the ASA notice that the authentication type this time is IP address and not FQDN

We can then create a location and called the VPN credentials and Static IP address (because it is static VPN Tunnel). Note that you can have multiple Static IP address on a Location so If you want to tie Public IP to a location along with the private IP address that will work too. Refer to the screenshot below I have a public as well as a private IP Space in Static IP address section.


On the ASA we can set the identity to AUTO and let ASA use IKE-ID as its private IP address. With that configuration in place we can build a tunnel to Zscaler

1 Like