I have a case open with the TAC already on this, but I thought I would throw this on the community forums (this is my first post) since there might be others experiencing a similar issue.
I've come to expect being able to translate the source of packets coming from the outside interface towards an inbound host. I've usually had to do that when migrating firewalls, for instance, when the internal host's default gateway was pointed somewhere else than the ASA from which the trafic was coming from. This would effectively hide the external/vpn/etc.. address, and replace it with, e.g. the ASA's inside interface IP. The following is sample code which would achieve this previously:
Remote IPSEC tunnel subnet: 192.168.90.0/23
Local server: 22.214.171.124
ip address 10.10.10.1 255.255.255.0
ip address 126.96.36.199 255.255.255.0
access-list outside_nat_outbound extended permit ip 192.168.90.0 255.255.254.0 host 188.8.131.52
access-list inside_nat0_outbound extended permit ip any 192.168.90.0 255.255.254.0
This would effectively change the source of trafic from 192.168.90.0/23 to 184.108.40.206 to the inside interface IP: 220.127.116.11. This config works wonderfully in 8.2, yet upgrading that config to 8.3 yields a broken configuration that doesn't end up changing the source address, and instead leaves it intact.
So far I've had no workaround from the TAC. Either the new NAT engine results in some loss of flexibility, or I can't wrap my head around the solution.
I've already heard "why are you doing this" and "you should instead fix the routing problem". Fact is: this works in 8.2, and so far it doesnt in 8.3. I'm looking for a straight answer whether or not 8.3 simply won't support this configuration any longer.
I've had to do the exact same thing... when someone installs a remote machine and makes a typo in the default gateway. Without hands-on, this is a way to gain remote access to the machine to correct the typo (then take out the nat commands, in my case).
Here's my take on getting the inbound traffic translated:
object network obj-192.168.90.0
subnet 192.168.90.0 255.255.255.0
object network obj-18.104.22.168
nat (any,inside) source dynamic obj-192.168.90.0 interface dest static obj-22.214.171.124 obj-126.96.36.199
But I will say I hate the new 8.3 code and have little experience with it. Let us know what you get to work...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :