Hi all

Outside interface of the ASA is endpoint for remote access clients. RA clients receive 172.5.x.0 IPs. I created a sub-interface in DMZ with the ip x.x.x.71. I will establish a site-to-site to that subinterface. Question is..

RA clients should be able to reach an IP address at remote peer of site-to-site VPN established on subinterface. But remote peer does not want to allow 172.5.x.0 at their site. They want to see a real IP. Here is what I tought

Do a conditional NAT for 172.5.x.0 network to subinterface ip by adding following. Subinterface has security level of 3, and outside has 0.

access-list 101 permit ip 172.5.x.0 255.255.255.0 <remote LAN> <remote mask>

nat (inside) 10 access-list 101

global (subinterface) 10 interface

And I get

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

Should I type

nat (outside) 5 172.5.x.0 255.255.255.0 outside

Or should I chenge the security level of outside to 1 and subinterface to 0? What affects would that cause? Is that it? How the split tunneling shold work from now on.

I used packet-trace and watched a packet from 172.5.x to remote lan but it does not walk through my conditional NAT. It first goes through the route

route subinterface remotelan remotemask subintgateway

then instead walking through condit NAT, it walks through outside route and I get

6 Oct 19 2007 19:49:01 109025 172.5.x.88 x.175.x.193 Authorization denied (acl=SCSVPN01_restrict) for user 'testbayi' from 172.5.x.88/1499 to x.175.x.193/80 on interface outside using TCP

Any help is much appreciated

I dont want permit same security traffic

Regards