Cisco VPN Policy-Nat

jventura · ‎10-06-2010

Hello,

I have a VPN setup to a vendor that requires a policy NAT statement such as below:

access-list test_1_cryptomap extended permit ip host 10.1.3.192 192.168.1.0 255.255.255.0
access-list test-policy-nat extended permit ip host 10.0.100.180 192.168.1.0 255.255.255.0

global (outside) 15 10.1.3.192
nat (inside) 15 access-list test-policy-nat

From the inside host 10.0.100.180 I can ping anything on the 192.168.1.0/24 network and it correctly

NAT's to 10.1.3.192 through the VPN, however when site B tries to ping 10.1.3.192 to reach back to host 10.0.100.180 it fails. I know

I need to add another statement for NAT'ing 10.1.3.192 back to 10.0.100.180 but unsure how. Anyone have any ideas? This is on a ASA 5510

Thanks,

Jeff

Yudong Wu · ‎10-06-2010

If you need the other side to initiate the traffic, you need to use static policy nat

static (inside,outside) 10.1.3.192 access-list test-policy-nat

jventura · ‎10-06-2010

Thanks Yudong, made the change. Do I also need to add any another statements to the access-list?

Yudong Wu · ‎10-06-2010

oh, you might need to remove the previous nat/global config and run a "clear xlate".

I don't think you need add anything else on the ACL for policy static NAT unless you have the other reqirement.

jventura · ‎10-06-2010

Thank you Yudong for all your help. Everything is working now!