Please find my requirements below & the test results.
- Created site-to-site vpn (Client ASA ~ Data Ceter ASA).
- Tunnel established. Only Client WRKS-A (192.168.1.1) & Data Center Server-A (10.1.1.1) are in the allowed hosts on VPN ACL
- Able to transfer files from Client 192.168.1.1 to 10.1.1.1 with no issues.
- Assume a situation where i am taking my Server-A (10.1.1.1) for maintenance for 6hours, until the maintenance is complete, i will have the Server-B (10.1.1.2) in place, so that i need not inform the client to add 10.1.1.2 in his ASA.
- Since 10.1.1.2 is not in the allowed VPN, i have a POLICY-NATconfiguration in place on the Data Center ASA. So that the files transfer from 192.168.1.1 will not interrupt.
static (inside,outside) 10.1.1.1 access-list CLIENT_VPN_Policy_NAT
access-list CLIENT_VPN_Policy_NAT extended permit ip host 10.1.1.2 host 192.168.1.1
access-list nonat extended permit ip host 10.1.1.1 host 192.168.1.1
- Sucessful & able to be receive files from 192.168.1.1 to 10.1.1.2 after the policy NAT configuration & hence i decided that i will use this policy NAT configuration for ever so that the client will keep transferring the files only to 10.1.1.2 for ever though 10.1.1.2 is not in his allowed ACL.
- I have an other client 172.16.1.1 on a different vpn tunnel, where i have to permit ONLY 10.1.1.1 to transfer the files from 172.16.1.1. Issue here is, tunnel establishes, but the client is transferring the files to 10.1.1.2 because of a POLICY-NAT for the ip 10.1.1.1 is configured for the previous client.
- Why does this POLICY-NAT reflects to the other tunnels when they also use the same IP 10.1.1.1?
I was assuming that POLICY-NAT will reflect only the tunnel where i configure, but this seems to be reflecting all whomsoever is using 10.1.1.1