dyn. policy SNAT via IPSec Site2Site VPN

Unanswered Question
Oct 26th, 2009


I have a question regarding dynamic policy NAT and IPSEC Site2Site connections.

Kinda hard to explain, but I will do my best.

The current setup is

- two sites, site A (ASA 5520) and site B (ASA5505). Botw with FW 8.2

- Both sites are connected via IPSec S2S tunnel

- At site A I have a customer router connected, with a transfer network of

- Our customer requieres us to SNAT every connection that goes to the customer network

- The SNAT IP has to be from the transfer network

At site A it works quite simple.

I have a dynamic policy NAT defined that every source IP from site A ( )

that has as destination will be translated to

The problem is site B ( ).

In this case I have a dyn. policy NAT at the ASA5505 at site B.

Every source IP from site B ( ) that has as destination will be translated to

This IP is included in the S2S tunnel to site A and should be normaly forwared.

When I try to access the customer network at site A, it works pretty fine. When I try this at site B I don't get any connection.

At site B I don't see any errors. ACLs, NAT, the IPSec tunnel, everything seems to be fine. The source IP gets natted, enters the tunnel and is sent to site A.

At site A I also don't see any errors at all.

All I see is something like this on the ASA site A:

6 Oct 26 2009 12:18:04 302013 14304 8001 Built inbound TCP connection 182622841 for outside: ( to int_trans_network: (

Strange thing is that I don't see any packets leaving the interface on the ASA. Is there any FW bug?!

Any comments and recommendations are welcome!!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Herbert Baerten Wed, 10/28/2009 - 11:11

First of all, I think it might be easier if you do the NAT on the customer router, if possible.

If that's not an option, you could do the NAT for site B also on the ASA on site A.

If you want to stick with your current solution, do you really need policy nat? I suppose you could just use global PAT. Anyway to troubleshoot: I see you NAT to 192.168.2.x on ASA B, but you said the customer requires 192.168.1.x, could that be it?

If not, check the "packet-tracer" command to verify what happens to a packet coming from B.

One other thing: you'll need a static route for the return traffic to site B.

TomHofmann Thu, 10/29/2009 - 02:32

Unfortunately it is not possible for me to do the NAT on the customer router. They have certain policies that force me to do it on my devices.

The IPs are correct. Must have been a typo since I had to replace all the original addresses due to our NDA.

How can I implement a static NAT or policy NAT at the ASA on site A?

When a user from site B wants to access the customer network, the request is included in the vpn tunnel and send to the ASA at site A. And now I don't know where I can implement the NAT rule.

Then I could also use PAT.

Just don't know the "right" place for this NAT rule.


This Discussion