That's what I am trying now but how does it know it needs to do subnet to subnet NAT? Usually on static command you define the mask. Here we don't have the mask defined on static command. The mast on the ACL is only for triggering the policy NAT.

The source subnet mask used in the access list is also used for the mapped addresses.

I don't know why the CLI is even showing the netmask as an option since it's not part of the static command structure.

For policy static NAT, enter the following command:

hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}

access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp

udp_max_conns]

Create the access list using the access-list command (see the "Adding an Extended Access List" section). This access list should include only permit ACEs. The source subnet mask used in the access list is also used for the mapped addresses. You can also specify the real and destination ports in the access list using the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the "Policy NAT" section for more information.

HTH

Sundar

It takes the mask from the real address in the acl.

So it's almost like..

static (inside,outside) 10.99.1.0 192.168.1.0 netmask 255.255.255.0

You're just moving the real ip and mask up to the acl.

It doesn't seem to be working though. I don't see ACL hit counts anywhere. Here is full sanitized config.

access-list msp-vpn extended permit ip 10.0.66.0 255.255.255.0 host 172.19.1.1

access-list msp-nat extended permit ip 192.168.1.0 255.255.255.0 host 172.19.1.1

!

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) 10.0.66.0 access-list msp-nat

!

crypto map vpn-map 10 match address msp-vpn

crypto map vpn-map 10 set peer x.x.x.x

crypto map vpn-map 10 set transform-set ESP-3DES-MD5

!

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

MYFW(config)# show xlate

36 in use, 250 most used

Global 10.0.66.0 Local 192.168.1.0

PAT Global x.x.x.x(1798) Local 192.168.1.124(3019)

<< more output trimmed here >>

So with this config, I don't even see the VPN triggering since NAT doesn't trigger. Show access-list doesn't show hit count increment on neither of the ACLs mentioned above.

Configuration looks good. Did you do a 'clear xlate' after the configuration change? If still doesn't work try the policy nat instead of the policy static NAT.

Sam

Could you try this just to make sure it's not something else

1) remove the static entry

2) add the following config

nat (inside) 2 access-list msp-nat

global (outside) 2 10.0.66.0 255.255.255.0

Jon

That doesn't work for me since that would work only for traffic from inside to outside. I need static since MSP needs to reach each individual IPs for monitoring purposes. We need to reach MSP server to sent traps/syslog.

To prove my logic here, I ran capture command with an ACL and ping destination IP.

access-list debug-nat extended permit ip any host 172.19.1.1

!

capture debug-inside type raw-data access-list debug-nat buffer 1024000 interface inside

capture debug-outside type raw-data access-list debug-nat buffer 1024000 interface outside

!

MYFW(config)# sh capture debug-inside

3 packets captured

1: 13:08:28.210468 802.1Q vlan#1 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

2: 13:08:33.365383 802.1Q vlan#1 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

3: 13:08:38.864976 802.1Q vlan#1 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

3 packets shown

MYFW(config)# sh capture debug-outside

4 packets captured

1: 13:08:28.210651 802.1Q vlan#2 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

2: 13:08:33.365535 802.1Q vlan#2 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

3: 13:08:38.865143 802.1Q vlan#2 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

4: 13:08:44.364834 802.1Q vlan#2 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

Team,

Thanks a lot to whoever responded. This thing might have already been working all along but because of my VPN issues, I was testing it with packet capture. I was just comparing packet capture on inside and outside interface and it still shows original source address. I guess it has something to do with order or operation.

If you want to see where and how the NAT happens, run packet-tracer on the ASA and you will see it clearly like this.

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) 10.99.1.0 access-list msp-nat

nat-control

match ip inside 192.168.1.0 255.255.255.0 outside host 172.19.1.1

static translation to 10.99.1.0

translate_hits = 13, untranslate_hits = 0

Additional Information:

Static translate 192.168.1.0/0 to 10.99.1.0/0 using netmask 255.255.255.0