I have a question regarding dynamic policy NAT and IPSEC Site2Site connections. Kinda hard to explain, but I will do my best.
The current setup is - two sites, site A (ASA 5520) and site B (ASA5505). Botw with FW 8.2 - Both sites are connected via IPSec S2S tunnel - At site A I have a customer router connected, with a transfer network of 192.168.1.0/29 - Our customer requieres us to SNAT every connection that goes to the customer network 172.16.0.0/20 - The SNAT IP has to be from the transfer network 192.168.1.0/29
At site A it works quite simple. I have a dynamic policy NAT defined that every source IP from site A ( 10.10.0.0/10 ) that has 172.16.0.0/20 as destination will be translated to 192.168.1.1
The problem is site B ( 10.20.0.0/16 ). In this case I have a dyn. policy NAT at the ASA5505 at site B. Every source IP from site B ( 10.20.0.0/10 ) that has 172.16.0.0/20 as destination will be translated to 192.168.1.2. This IP is included in the S2S tunnel to site A and should be normaly forwared. When I try to access the customer network at site A, it works pretty fine. When I try this at site B I don't get any connection. At site B I don't see any errors. ACLs, NAT, the IPSec tunnel, everything seems to be fine. The source IP gets natted, enters the tunnel and is sent to site A. At site A I also don't see any errors at all. All I see is something like this on the ASA site A: 6 Oct 26 2009 12:18:04 302013 192.168.1.1 14304 10.188.45.68 8001 Built inbound TCP connection 182622841 for outside:192.168.1.1/14304 (192.168.2.1/14304) to int_trans_network:172.16.1.1/8001 (172.16.1.1/8001)
Strange thing is that I don't see any packets leaving the interface on the ASA. Is there any FW bug?!