Wonderful Jouni,

I will be testing that today and will get back to you by tonight.  Your understanding of my setup is exactly right.  I was told by another technician that I should perform the PAT on the Main Office ASA, hence why I am working there.  Thank you so much, and as soon as I get word of how that'll work I will respond back. 

It seems I'm still having troubles.  Attached are all the config lines ive used to attempt to get this working

route outside 10.10.10.0 255.255.255.0 192.168.15.1 1
route outside 10.10.20.0 255.255.255.0 192.168.15.1 1

access-list DYNAMIC-POLICY-PAT permit ip 172.16.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list DYNAMIC-POLICY-PAT permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.15.149 255.255.255.255 VPN-Remote 255.255.255.0

global (outside) 200 192.168.15.149
nat (inside) 200 access-list DYNAMIC-POLICY-PAT

Everything looks right.  When I run a packet-tracer from 172.16.10.X to one of the remote 3rd party IPs, its allowed the entire way, I see the NAT rule being applied and being translated from a 172.16.10.X to 192.168.15.149 just fine.  I also see the 192.168.15.149 being allowed through the VPN tunnel when I run show crypto ipsec sa so it should be allow over the VPN. 

Am I missing something entirely?  I haven't done anything on the Main Office ASA, I don't think I need to allow anything as it's a 192.168.15.0 address going through the tunnel, which is already allowed through the crypto map config.

Hi,

Actually now I understand why you were possibly told that this should be done at Main Office.

Its because of your NAT IP address used. This is an IP address beloging directly to the Main Office ASA interface. Therefore this traffic at the moment probably wont ever be forwarded to the VPN connection atleast in the direction Main Office -> Remote Office since the 3rd party Router will try to ARP for the MAC address of the host 192.168.15.149 as it thinks that its connected directly to that network. And as there is no NAT/PAT at the moment on the Main Site for that IP address the ASA wont answer that ARP request.

This kind of makes me think that the situation originally has been so that changes can't be made to the 3rd party router and thats why you are trying to PAT the Remote Site to an IP address that the 3rd party router already has a route for (directly connected)

So next there are these questions

What is the 3rd party router using as default gateway?

Could an IP address from some new subnet be used as the Dynamic PAT IP address for the Remote Site users? This comes back to the above question as to what is the default gateway of the 3rd party router? If its not your ASA then a route for the new Dynamic PAT IP address (configured on Remote Site) would have to configured on the 3rd party router pointing it towards the ASA.

Hope this helps

- Jouni

The router for the 3rd Party Network at the main office is in the route statements above, 192.168.15.1

Could I do

access-list DYNAMIC-POLICY_PAT .....

global (inside) 200 192.168.15.49

nat (outside) 200 access-list DYNAMIC_POLICY_PAT

on the Main office ASA? 

The 3rd Party basically won't do anything for us in way of their configuration.  They will only allow the Main Office subnet, none others, and won't make a route back to the 172.16.10.0 network, hence why I am stuck in this predicament.  If they would just route back to the Remote office, I wouldn't be on here trying to find a convuluted solution.

Hi,

I think it might work. To be honest I have never done such a setup since we simply dont accept that a situation where a 3rd party would dictate us to make these kind of unusual setups just because they can't be bothered to make changes to their devices (which are pretty simple)

What you will probably need in that "nat" command is the parameter "outside" in the end of the command. This is because you are doing Dynamic PAT from a lower "security-level" interface to a higher one.

Check this section from ASA Command Reference

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533

Quote

 For policy dynamic NAT and NAT exemption: 

nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq] 




 outside 


 (Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT. 

Again, this is not something I have done other than to test it in some labs so I am not 100% sure how it acts with the other NAT configurations. I can't see a problem at the moment atleast since its specifically made to be a Policy type of NAT.

To my understanding this Dynamic Policy PAT should work as the ASA the ASA should do NAT operations before sending traffic towards the Remote Site (would untranslate the PAT to the real IP address before VPN rules matched) and when traffic is coming from the L2L VPN towards Main Office I would imagine that when the packet is decapsulated/decrypted it would then be PATed to the correct IP address.

- Jouni