Hi Varun,

thank you for your reply. I am wondering if above will work after VPN tunnel. I.e. 10.0.0.10 will be the host which comes from outside but thru L2L VPN tunnel? Currently I have another nat statement on my ASA in order to get things working with VPN as follows:

object-group network ASA2_LAN

  network-object 10.0.0.0 255.255.255.0

object-group network ASA1_LAN

  network-object 192.168.0.0 255.255.255.0

nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN

I am wondering if I just can add your configuration as you put it above without changing my current NAT statements.

And again I need to translate just one host which is 10.0.0.10 which is going to be coming in from outside but thru VPN tunnel

Thanks!

Hi,

Yes you can add the nat statement for the specific host as well, but it should be above the nat that you have for the complete network, since nat order of preference in 8.4 is top to bottom, therefore more specific nats should be on top. Apart from that, if its a site to site vpn you wouls also need a crypto acl for the natted ip of the host.

Thanks,

Varun

Thank you Varun.

I did as you said, and I didn't even need

nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN

for packets coming from the remote ASA to be translated properly.

I did only

object network outside_network

  host 10.0.0.10

object network outside_natted_ip

  host 192.168.0.11

object network inside_network

  host 192.168.0.10

nat (outside,inside) source static outside_network outside_natted_ip destination static inside_network inside_network

I have also applied crypto map and everything looks to be good.

I can ping from remote side firewall (VPN initiator) my local LAN host which is behind my ASA and it looks like the tunnel is working.

The only thing I am unsure about is that when I ping from remote side host on my local lan and I  do "sh crypto ipsec sa"

I see below, and they are counting with each ping, which means that packets are being received and sent over the tunnel

#pkts encaps: 15711, #pkts encrypt: 15711, #pkts digest: 15711

      #pkts decaps: 15740, #pkts decrypt: 15740, #pkts verify: 15740

but when I do "show access-list cryptointerested" which defines my crypto intersted local lan ip addresses(source) to remote lan(destination)

hits are not counting up.

Although ping is working, I am wondering if "show access-list cryptointerested" on my ASA should be counting when I send ping from remote ASA and remote ASA is tunnel initiator. I am not supposed to initiate tunnel from my side.

Will appreciate your clarification.

Thx.

Most interested if access-list counter hits on my side should be increasing while pinging over the tunnel from a host behind remote firewall...