The error message you are seeing is because the way you are configuring Static policy NAT is incorrect. The ACL "outside-inside" is alright but the access list being used for the NAT, that is, "conditional-nat" is configured the reverse of the way it should be.
Basically, you will need an ACL specifying IP traffic from the SIte A server's real IP (in the 10.x.x.x) range destined to the Site B server's IP addresses (SITE_B_CLUSTER). Once you have such an ACL ready, create the static with this ACL and the PUBLIC_IP as the translated IP.
Thank you for your response. This clarifies things quite a bit. i do have a doubt here...
If i have an ACL specifying IP traffic from the SIte A server's real IP (in the 10.x.x.x) range destined to the Site B server's IP addresses (SITE_B_CLUSTER). then how would that help, and why would it be required logically?
I mean, the requests are only unidirectional from site b -> site A and the reason we are applying the acl is to implement the condition that, only specific requests from the SITE_B_CLUSTER get translated to SITE_A_public ip.
ohh and before i forget...
THANK YOU for all your help.
you have been a big help. Ill be implementing this tomorrow morning. Ill get back in case i do have some problem here.
access-list condition-nat permit ip host SITEA-SERVER object-group SITEB_SERVERS
Now when the ASA sees a request coming in on the "outside" interface for the PUBLIC_IP and it is sourced from the one of the IP addresses in the "object-group SITEB_SERVERS", then ASA will match this against this Static policy NAT that we have configured and will untranslate the PUBLIC_IP to the real ip of the server SITEA_SERVER and route the traffic out the "inside" interface.
Now if the ASA receives a request on the "outside" interface for the PUBLIC_IP but the packet's source IP is not in the object-group SITEB_SERVERS, then the ASA will not match this packet against this STatic NAT and will try to match it against the rest of the config that we have on the ASA.
Hope this makes things clear. Let me know if there are any gray areas
the second error message you are concerned about, you are getting this because what you are telling the firewall that the local ip address are on your inside and they all need to statically translated to one public ip. as you can see this does not make much sense
secondly as prapanch pointed out you have the static wrongly configured as this gives the firewall a feeling that the local hots are on your inside
lastly, i do not understand why you are concerned about using
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...