Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2475
Views
0
Helpful
1
Comments

SNAT and Site2Site VPN, does it work?

TomHofmann
Level 1
Level 1

‎11-04-2009 11:01 PM - edited ‎03-08-2019 06:31 PM

Hello,

I have a question regarding dynamic policy NAT and IPSEC Site2Site connections.
Kinda hard to explain, but I will do my best.

The current setup is
- two sites, site A (ASA 5520) and site B (ASA5505). Botw with FW 8.2
- Both sites are connected via IPSec S2S tunnel
- At site A I have a customer router connected, with a transfer network of 192.168.1.0/29
- Our customer requieres us to SNAT every connection that goes to the customer network 172.16.0.0/20
- The SNAT IP has to be from the transfer network 192.168.1.0/29

At site A it works quite simple.
I have a dynamic policy NAT defined that every source IP from site A ( 10.10.0.0/10 )
that has 172.16.0.0/20 as destination will be translated to 192.168.1.1

The problem is site B ( 10.20.0.0/16 ).
In this case I have a dyn. policy NAT at the ASA5505 at site B.
Every source IP from site B ( 10.20.0.0/10 ) that has 172.16.0.0/20 as destination will be translated to 192.168.1.2.
This IP is included in the S2S tunnel to site A and should be normaly forwared.
When I try to access the customer network at site A, it works pretty fine. When I try this at site B I don't get any connection.
At site B I don't see any errors. ACLs, NAT, the IPSec tunnel, everything seems to be fine. The source IP gets natted, enters the tunnel and is sent to site A.
At site A I also don't see any errors at all.
All I see is something like this on the ASA site A:
6 Oct 26 2009 12:18:04 302013 192.168.1.1 14304 10.188.45.68 8001 Built inbound TCP connection 182622841 for outside:192.168.1.1/14304 (192.168.2.1/14304) to int_trans_network:172.16.1.1/8001 (172.16.1.1/8001)

Strange thing is that I don't see any packets leaving the interface on the ASA. Is there any FW bug?!

Any comments and recommendations are welcome!!

Regards
Tom

Preview file
20 KB
0 Helpful
Comments
Satheshkumar Nallasamy
Level 1
Level 1
‎11-09-2009 10:39 PM

Thank you for your posting and interest in the Cisco Support Community.  For best practices on posting documents in this community you can refer to

https://supportforums.cisco.com/docs/DOC-6022#Can_I_use_documents_to_post_technical_questions

For technical questions related to a Cisco Product or Technology, we encourage you to post on the Network Professionals Forum (NetPro). For your question on <specify Cisco Product or technology> you can go to <put the link to the specific forum, e.g. if the question is related to VPN ,  put the post in VPN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents