Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

SNAT and Site2Site VPN, does it work?

Hello,

I have a question regarding dynamic policy NAT and IPSEC Site2Site connections.
Kinda hard to explain, but I will do my best.

The current setup is
- two sites, site A (ASA 5520) and site B (ASA5505). Botw with FW 8.2
- Both sites are connected via IPSec S2S tunnel
- At site A I have a customer router connected, with a transfer network of 192.168.1.0/29
- Our customer requieres us to SNAT every connection that goes to the customer network 172.16.0.0/20
- The SNAT IP has to be from the transfer network 192.168.1.0/29

At site A it works quite simple.
I have a dynamic policy NAT defined that every source IP from site A ( 10.10.0.0/10 )
that has 172.16.0.0/20 as destination will be translated to 192.168.1.1

The problem is site B ( 10.20.0.0/16 ).
In this case I have a dyn. policy NAT at the ASA5505 at site B.
Every source IP from site B ( 10.20.0.0/10 ) that has 172.16.0.0/20 as destination will be translated to 192.168.1.2.
This IP is included in the S2S tunnel to site A and should be normaly forwared.
When I try to access the customer network at site A, it works pretty fine. When I try this at site B I don't get any connection.
At site B I don't see any errors. ACLs, NAT, the IPSec tunnel, everything seems to be fine. The source IP gets natted, enters the tunnel and is sent to site A.
At site A I also don't see any errors at all.
All I see is something like this on the ASA site A:
6 Oct 26 2009 12:18:04 302013 192.168.1.1 14304 10.188.45.68 8001 Built inbound TCP connection 182622841 for outside:192.168.1.1/14304 (192.168.2.1/14304) to int_trans_network:172.16.1.1/8001 (172.16.1.1/8001)

Strange thing is that I don't see any packets leaving the interface on the ASA. Is there any FW bug?!

Any comments and recommendations are welcome!!

Regards
Tom

Version history
Revision #:
1 of 1
Last update:
‎11-04-2009 11:01 PM
Updated by:
 
Labels (1)
Comments

Thank you for your posting and interest in the Cisco Support Community.  For best practices on posting documents in this community you can refer to

https://supportforums.cisco.com/docs/DOC-6022#Can_I_use_documents_to_post_technical_questions

For technical questions related to a Cisco Product or Technology, we encourage you to post on the Network Professionals Forum (NetPro). For your question on <specify Cisco Product or technology> you can go to <put the link to the specific forum, e.g. if the question is related to VPN ,  put the post in VPN