10-06-2010 10:55 AM
Hello,
I have a VPN setup to a vendor that requires a policy NAT statement such as below:
access-list test_1_cryptomap extended permit ip host 10.1.3.192 192.168.1.0 255.255.255.0
access-list test-policy-nat extended permit ip host 10.0.100.180 192.168.1.0 255.255.255.0
global (outside) 15 10.1.3.192
nat (inside) 15 access-list test-policy-nat
From the inside host 10.0.100.180 I can ping anything on the 192.168.1.0/24 network and it correctly
NAT's to 10.1.3.192 through the VPN, however when site B tries to ping 10.1.3.192 to reach back to host 10.0.100.180 it fails. I know
I need to add another statement for NAT'ing 10.1.3.192 back to 10.0.100.180 but unsure how. Anyone have any ideas? This is on a ASA 5510
Thanks,
Jeff
10-06-2010 11:11 AM
If you need the other side to initiate the traffic, you need to use static policy nat
static (inside,outside) 10.1.3.192 access-list test-policy-nat
10-06-2010 11:18 AM
Thanks Yudong, made the change. Do I also need to add any another statements to the access-list?
10-06-2010 11:21 AM
oh, you might need to remove the previous nat/global config and run a "clear xlate".
I don't think you need add anything else on the ACL for policy static NAT unless you have the other reqirement.
10-06-2010 12:18 PM
Thank you Yudong for all your help. Everything is working now!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide