So any static statements only with (inside,outside) should be removed and rentered?

if there's a static statement with (inside, backup), that doesn't need to be?

yes,  i did mean 8.2(1).

Hello,

If u are using dual Outside Interfaces, then you must assigned it to that backup interface in case the primary goes down!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

I believe the remote end is only pointing to the primary IP though in the site to site.  But I can add the backup NATing as well in case that is changed.

I believe the client did not want to pay for more memory in order to update the code, which is why it's still at that version.

Thanks

Hi,

If your L2L VPN are built only through the primary "outside" interface then you only need to configure the Static Policy NAT for the primary "outside" interface.

You dont necesarily have to do anything more than configure the above Static Policy NAT. Though you might find that hosts/servers with their own Static NAT to a public IP address might not be able to access the remote network because of that existing Static NAT. For those you would then have to make the change in the order of the NAT configurations.

Hope this helps

Please do remember to mark a reply as a correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

ok thanks,

just to clarify, the NAT'ing will be both directions? The remote network will see the 192.168.1.0 network as

172.31.196.0?

Hi,

Yes, the the NAT rule is bidirectional as long as it matches the ACL.

Traffic from LAN 192.168.1.0/24 towards host 2.2.2.2 will be NATed to 172.31.196.0/24

Traffic from host 2.2.2.2 towards 172.31.196.0/24 will be UN-NATed to 192.168.1.0/24

Hope this helps

- Jouni

I received an error when i removed the static statements and reentered them.  stating the local lan was already NAT'ed to the 172.31.196.0

I did as you said.  entered, the access-list and static.  removed the static statements and tried to re-add them.   I reverted back.

I am going to see if we can update the code.    Where do I find the memory requirements for asa913-k8?   This asa currently has 256MB

Hi,

Yes, it will probably give you an error message.

Did you check if both "static" configurations were there after the removing and adding the normal Static NAT?

It should work since I have used it even in our own network.

When you have both of them configured you can use "packet-tracer" to confirm that the rule works as it should

packet-tracer input inside tcp 192.168.1.100 12345 2.2.2.2 80

packet-tracer input inside tcp 192.168.1.100 1.1.1.1 80

These should provide 2 different translations. You can share the output with us if you want us to chech through them. It should work.

- Jouni

I am trying to ping from asa and every result is ?????

i tried specifying the interface.   I have the tunnel enabled through asdm but don't see it up in monitoring.

This ping issue was prior to any changes from what we are working on.

Hi,

I doubt the ASA will apply any translation to any traffic you generate from it.

The "packet-tracer" commands I provided should tell us exactly what translation is applied to the traffic.

To actually test the traffic you will have to use an actual host in the network 192.168.1.0/24

- Jouni

ok, i was just wondering why i couldn't ping anything from asa like even an internal IP. 

packet-tracer input inside tcp 192.168.1.6 53 8.8.8.8 53

packet-tracer input inside tcp 192.168.1.6 53 173.220.117.20 53

is this a valid test?

there's a static nat for 1.6 inside,outside for 53 so this two statements should have different results correct?  if this is a valid test, i'll perform and show you the results.

Hi,

If the IP address 173.220.117.20 is an IP address used in the Static Policy NAT ACL as the destination IP address then these should be the correct commands to simulate and test the NAT behaviour

- Jouni

eluciasa(config)# packet-tracer input inside tcp 192.168.1.6 53 8.8.8.8 53

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) MC_Local_xlated  access-list L2LVPN-POLICYNAT

  match ip inside 192.168.1.0 255.255.255.0 outside host External_IP

    static translation to MC_Local_xlated

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (External_IP [Interface PAT])

    translate_hits = 24686918, untranslate_hits = 1904674

Additional Information:

Dynamic translate EluciMX01/53 to External_IP/356 using netmask 255.255.255.255

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 32668832, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

eluciasa(config)#