Hello!

I have connect partners company through L2L-IPSEC. I try use reverse NAT, like in that example to NAT partner's addresses in my private network. But no one hits exists in NAT. What wrong?

You're trying to NAT the remote 10.0.2.176/28 when coming to your object-group vendor-inside correct?

So you're saying:
access-list outside_470_cryptomap line 2 extended permit ip 10.0.2.176 255.255.255.240 object-group vendor-inside
nat (external) 3 access-list outside_470_cryptomap
global (internal) 3 10.80.179.113-10.80.179.126 netmask 255.255.255.240

If you're coming from computer 10.0.2.x, can you try a ''sh xlate'' and see if you get translations for that host?

Federico.

coto.fusionet wrote:
You're trying to NAT the remote 10.0.2.176/28 when coming to your object-group vendor-inside correct?

So you're saying: 
access-list outside_470_cryptomap line 2 extended permit ip 10.0.2.176 255.255.255.240 object-group vendor-inside 
nat (external) 3 access-list outside_470_cryptomap
global (internal) 3 10.80.179.113-10.80.179.126 netmask 255.255.255.240
If you're coming from computer 10.0.2.x, can you try a ''sh xlate'' and see if you get translations for that host?
Federico.

Well, I try "sh xlate" and have no translations on this nat rule. I watch "sh nat" and no hits on this rule (translate_hits = 0, untranslate_hits = 0).

Same rule on this ASA for external real IP's coming to another host works properly. This rule from L2L-IPSEC to inside not works. I use WireShark and see packets from real IP, NAT not work.

Why this NAT normally work from outside to inside and not work from IPSEC to inside?

NAT works for non-encrypted traffic from outside to inside?
NAT does not work for encrypted traffic from outside to inside?

NAT should work for either unencrypted or encrypted traffic.
Could you post just your current NAT rule for both scenarios?

Federico.

NAT works for non-encrypted traffic from outside to inside?

Yes

NAT does not work for encrypted traffic from outside to inside?

Yes

NAT should work for either unencrypted or encrypted traffic.

Should be, yes. But, not work.

This is nat rule for enctipted traffic. Integrator comes through IPSEC from outside and goes to inside. Nat not worked:

access-list Integrator2Local extended permit ip host 192.168.1.23 10.10.1.0 255.255.255.0
global (inside) 3 10.10.0.3-10.10.0.14 netmask 255.255.255.240
nat (outside) 3 access-list Integrator2Local outside

I need translate host 192.168.1.23, when this host send packet in network 10.10.1.0/24 translate in address 10.10.0.3

Same rule (except trafic goes in DMZ) but I think, this is not matter. This rule work good:
access-list REALHOSTS extended permit ip any host 19.17.9.26
global (DMZ) 2 10.20.20.128-10.20.20.254 netmask 255.255.255.128
nat (outside) 2 access-list REALHOSTS outside

In this rule I need translate any real address, comes on  host 19.17.9.26 to network 10.20.20.128/25

Thanks for the reply; see above for corrected config.

DimonRonD wrote:
Hello!
I have connect partners company through L2L-IPSEC. I try use reverse NAT, like in that example to NAT partner's addresses in my private network. But no one hits exists in NAT. What wrong?
Hi DimonRonD,
Not sure about your setup, but mine was backwards:
I had:
access-list LUXATLASA01e_470_cryptomap extended permit ip 10.0.2.176 255.255.255.240 object-group Vendor-inside
It should be:
access-list LUXATLASA01e_cryptomap_470 extended permit ip 10.80.0.0 255.255.0.0 10.0.2.176 255.255.255.240
Also had to add:
access-list LUXATLASA01i_nat0_outbound extended permit ip object-group Vendor-inside 10.0.2.176 255.255.255.240
I highly recommend opening a ticket with TAC for configuration assistance so they can help you understand the config.  If they can teach me, they can teach anyone!'