Please find my requirements below & the test results.
Created site-to-site vpn (Client ASA ~ Data Ceter ASA).
Tunnel established. Only Client WRKS-A (192.168.1.1) & Data Center Server-A (10.1.1.1) are in the allowed hosts on VPN ACL
Able to transfer files from Client 192.168.1.1to 10.1.1.1 with no issues.
Assume a situation where i am taking my Server-A (10.1.1.1) for maintenance for 6hours, until the maintenance is complete, i will have the Server-B (10.1.1.2) in place, so that i need not inform the client to add 10.1.1.2 in his ASA.
Since 10.1.1.2 is not in the allowed VPN, i have a POLICY-NATconfiguration in place on the Data Center ASA. So that the files transfer from 192.168.1.1 will not interrupt.
access-list CLIENT_VPN_Policy_NAT extended permit ip host 10.1.1.2 host 192.168.1.1
access-list nonat extended permit ip host 10.1.1.1 host 192.168.1.1
Sucessful & able to be receive files from 192.168.1.1 to 10.1.1.2 after the policy NAT configuration & hence i decided that i will use this policy NAT configuration for ever so that the client will keep transferring the files only to 10.1.1.2 for ever though 10.1.1.2 is not in his allowed ACL.
I have an other client 172.16.1.1 on a different vpn tunnel, where i have to permit ONLY 10.1.1.1 to transfer the files from 172.16.1.1. Issue here is, tunnel establishes, but the client is transferring the files to 10.1.1.2 because of a POLICY-NAT for the ip 10.1.1.1 is configured for the previous client.
Why does this POLICY-NAT reflects to the other tunnels when they also use the same IP 10.1.1.1?
I was assuming that POLICY-NAT will reflect only the tunnel where i configure, but this seems to be reflecting all whomsoever is using 10.1.1.1
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...