I have a question regarding dynamic policy NAT and IPSEC Site2Site connections.
Kinda hard to explain, but I will do my best.
The current setup is
- two sites, site A (ASA 5520) and site B (ASA5505). Botw with FW 8.2
- Both sites are connected via IPSec S2S tunnel
- At site A I have a customer router connected, with a transfer network of 192.168.1.0/29
- Our customer requieres us to SNAT every connection that goes to the customer network 172.16.0.0/20
- The SNAT IP has to be from the transfer network 192.168.1.0/29
At site A it works quite simple.
I have a dynamic policy NAT defined that every source IP from site A ( 10.10.0.0/10 )
that has 172.16.0.0/20 as destination will be translated to 192.168.1.1
The problem is site B ( 10.20.0.0/16 ).
In this case I have a dyn. policy NAT at the ASA5505 at site B.
Every source IP from site B ( 10.20.0.0/10 ) that has 172.16.0.0/20 as destination will be translated to 192.168.1.2.
This IP is included in the S2S tunnel to site A and should be normaly forwared.
When I try to access the customer network at site A, it works pretty fine. When I try this at site B I don't get any connection.
At site B I don't see any errors. ACLs, NAT, the IPSec tunnel, everything seems to be fine. The source IP gets natted, enters the tunnel and is sent to site A.
At site A I also don't see any errors at all.
All I see is something like this on the ASA site A:
6 Oct 26 2009 12:18:04 302013 192.168.2.1 14304 10.188.45.68 8001 Built inbound TCP connection 182622841 for outside:192.168.2.1/14304 (192.168.2.1/14304) to int_trans_network:172.16.1.1/8001 (172.16.1.1/8001)
Strange thing is that I don't see any packets leaving the interface on the ASA. Is there any FW bug?!
Any comments and recommendations are welcome!!