That was the first method i tried using dynamic PAT with policy nat. But they were not able to ping the tunnel remote lan. when i did a static nat for one of those IPS via the tunnel with policy nat it worked.

Thanks

There is another policy nat via dynamic PAT going to the outside interface. So another policy nat will not do the trick

Can you run a packet-tracer with the dynamic policy NAT configured? And paste the output here?

Regards,

Prapanch

Hello,

If I understand your topology correctly, you have two separate interfaces,

one for VPN and one for outside internet access (please correct me if I am

incorrect). You would like all your internal clients to access the remote

LAN using a different IP. Could you please check the following:

-- Make sure that the firewall has a route statement that points remote

subnets to the VPN interface

router vpn 20.20.20.0 255.255.255.0

-- Make sure that you have a proper NAT statement for the communication

between inside and remote subnet

access-list pnat permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list pnat permit ip 10.10.30.0 255.255.255.0 20.20.20.0 255.255.255.0

global (vpn) 10 192.168.3.50

nat (inside) 10 access-list pnat

-- Make sure that you have configured your cryptomaps correctly to include

the mapped address (192.168.3.50) on both sides

Once the above steps are verified (on both ends), you should be able to

communicate between the inside clients and the remote subnet without any

issues.

Regards,

NT

Hello Nagaraja,

Sorry for not being able to reply quickly. I think what you are asking me to do is a another policy nat with global. Well that will not work as i tried it before. To give you an understanding of the topology.

       Internet

         |

         |

ASA Firewall --------- VPN Router ------- internet

There is a NAT on the outside interface pointing to the Interneton the FW for 120 hosts in that subnet. That is done using policy nat as you mentioned. That is working perfect. Now the customer wants to NAT those 120 hosts through another interface which is via the vpn interface towards the vpn router. Here is cant use policy nat again since it wont work.

So what i came up with is using nat exemption on that interafce for that subnet... What do you reckon?? I tested with static nat with subnets and it wont accept it.

Thanks

My doubt is why the static policy NAT is working but not dynamic policy NAT. As Nagaraja said, if you have the route for the remote LAN subnet pointing out through the vpn interface, then both should work. This is the reason why i wanted you to run a packet-tracer with dynamic policy NAT configured so we can see where exactly the packets are getting routed (outside or vpn interface).

Again, just to clarify one thing. If we use a dynamic policy NAT, traffic can be initiated only from your LAN (10.10.20.0) to the remote LAN (20.20.20.0).

Regards,

Prapanch

Hello,

So, the VPN is getting terminated on a different device (VPN router). Is

that correct? If the VPN traffic is leaving on a different interface, then

you should be able to apply the Dynamic NAT without any issue as the NAT

rules are applied after determining the exit interface not globally. If you

were not able to PING from your local subnet to remote, based on your

settings, I am assuming that you did not have "inspect icmp" enabled under

the policy map. Can you please give it a try again (dynamic policy) with

ICMP inspection enabled?

Regards,

NT

Hello,

inspect icmp is configured on the firewall. If same traffic goes out two interfaces via wont it look at the priority settings? Static NAT is given more priority than regular NAT or policy NAT. So when i configured static NAT is worked because it has higher priority. Unfortunately I cant use static nat since I have to allow 120 hosts individually and it wont accept subnets as the source.

NAT exemption is given higher priority than any thing else.

The nat policy going out is 10.10.20.0 --> any ---> interface outside (Policy nat)

the nat policy on the vpn is 10.10.20.0 --> 20.20.20.0 ----> interface vpn (policy nat) doesnt work only for those 120 hosts otherwise everything else works.

static nat works for hosts included in the outside interface nat.

Hello,

Can you please post the relevant NAT configurations here? Also, please post

the output of "show route" command.

Regards,

NT

Hi Nagaraja,

nat (inside) 100 access-list nat_outside

global (outside) 100 interface

access-list nat_outside extended permit ip host 10.10.20.1 any
access-list nat_outside extended permit ip host 10.10.20.2 any
access-list nat_outside extended permit ip host 10.10.20.3 any
access-list nat_outside extended permit ip host 10.10.20.4 any
access-list nat_outside extended permit ip host 10.10.20.5 any
access-list nat_outside extended permit ip host 10.10.20.6 any

access-list site_to_site_vpn extended permit ip 10.10.20.0 255.255.255.0 20.20.20.0 255.255.255.0

nat (inside) 1 access-list site_to_site_vpn

global (dmz) 1 192.168.3.50

The above policy nat doesnt have any affect on 10.10.20.5.

access-list static_nat_vpn extended permit ip host 10.10.20.5 20.20.20.0 255.255.255.0

static (inside,dmz) 192.168.3.51  access-list static_nat_vpn

The above static nat now works. Now I can send traffic out the outside interface as well as the dmz interface.

Hello,

What kind of traffic are you trying to send from inside to the remote vpn

clients? The only difference between the dynamic NAT that doesn't work and

the one that works is the first one is unidirectional and the second is

bidirectional. I see your point that since the inside-to-outside access-list

also contains the same IP addresses, it may not look at the other dynamic

statements. But, by design, it should not behave that way unless there is

another conflicting NAT statement on the DMZ interface. (Something like

"global (dmz) 100 interface" statement). Can you run a packet tracer (after

putting the dynamic translation back in there and removing the static/nonat

for that traffic) and post the output here? The command would be:

packet-tracer input inside icmp 10.10.20.5 8 0 20.20.20.10 detailed

Regards,

NT

HI Nagaraja,

By design both are the same. The static is unidirectional since I have not allowed access-lists to allow outside to enter the dmz. I really cant do much of troubleshooting on this one since its production and have to ask customers consent. But I will get back to you on this one.

Thanks a bunch for your help. Will mail you soon

Thanks