Hi Andrew,

To make it simple for me could I just add a static NAT from 192.168.21.19 to 172.30.0.19?

If so would this be inside to outside? They need to be able to ping 172.30.0.19.

Yes you could - but then it would mean that NAT from 192.168.21.19 to 172.30.0.19 would be ALL the time.

with policy based NAT - it's based on an ACL, so source & destination have to match BEFORE the NAT takes place.

HTH>

You are right Andrew, I need to get this to work as I don't want this to be "NAT'ed" everywhere.

I have a VPN where 10.10.10.14 sits (ASA VPN so Outside?), 192.168.21.19 (my inside) needs to ping this, however 192.168.21.19 is already used by this company where the VPN is, we agreed to use 172.30.0.19.

That web link looks quite advances, can you add the example you would use?

Andy,

You need to configure the below:-

access-list policy-vpn-nat extended permit ip host 192.168.21.19 host 10.10.10.14 (Source of 192.168.21.19 to destination 10.10.10.14 = true)

access-list crypto-vpn extended permit ip host 172.30.0.19 host 10.10.10.14 (once the above access-list has been hit, the NAT will take place, then the source of 172.30.0.19 to desintation 10.10.10.14 is valid for the VPN)

static (inside,outside) 172.30.0.19 access-list policy-vpn-nat (NAT the source IP of 192.168.21.19 to 172.30.0.19 - based on the acl policy-vpn-nat)

The remote end muct have the same encryption domain for hthe VPN to establish.

HTH>

Hi,

I will copy this into my ASA config and let you know.

Thanks