trying to understand static translation on the firewall

network770 · ‎06-02-2011

We are about to connect a remote office to our data center and we have an ASA on the Internet (at both sites) but the remote office we are connecting has a conflicting segment with the data center - 192.168.10.0 255.255.255.0

so in order for the data center to talk to the remote office we did the following on the remote office firewall :

static (inside,outside) 192.168.100.0 192.168.10.0 net 255.255.255.0

with this we are expecting the data center to access the remote office using 192.168.100.0 and the firewall should translate it to 192.168.10.0 and that was not working, still not sure why... it's very strange, after doing some more reseach I ended doing this on the remote office firewall

static (inside,outside) 192.168.100.0 access-list VPN

access-list VPN extended permit ip object-group INTERNAL_NETWORK object-group REMOTE_SITE

where INTERNAL_NETWORK is an object group with the ip address of the remote office ip and REMOTE_SITE is the data center ip addresses

can someone please clarify, am I missing something with the translation?

Maykol Rojas · ‎06-02-2011

Hello Ronni,

Thats weird, the first one should have done the trick. Would you please paste the command sh run static and show run nat? The first static should have done the trick.

Mike

network770 · ‎06-02-2011

We changed the config and it's no longer available, but yes I agree with you that should of worked as I had this working in other environments, it is weird.

But my question is, what is the difference between the 2 methods of translations? why would you use one over the over? how does the access-list translation work anyhow?