Hi rzwanr74

Thanks for the reply, the new-partner is iniating the the traffic,

he is getting hit the ASA ( i can see from the logs), but the traffic is not going to the target devices.

Thanks

Hello Ahmed,

Check for the route (i.e. remote subnet route) is point in the right direction, that is route is pushed toward the ASA's gateway address and from you internal switches the route is pushed toward the ASA inside address.

if that didn't resolve the problem, post your whole config and tell me what is the tunnel in question that you are having issue with.

Happy Ramadan.

thanks

Rizwan Rafeek.

Rizwan,

MY NEW-PARTNER IS NO LONGER ACCEPTING ANY PRIVATE IP ADDRESS, SO I WAS THINKING IF ITS POSSIBLE TO TRICK MY LOCAL PRIVATE ADDRESS TO ACT AS PUBLIC. 

TRIED WITH PORT FORWARDING AND IT DIDN'T WORK.

ATTACHED IS HOW THE TUNNEL LOOKS LIKE

What software version you are running on your ASA ?

Rizwan,

My ASA version is 8.2

Thanks

Hello Ahmed,

What you need is a static-policy nat.

You need fill in the X value for the subnet mask and IP addresses in the example below.

access-list NET1 permit ip host 192.168.45.5 host 72.x.x.x 

static (inside,outside) 59.x.x.x access-list NET1

You include your natted IP address: 59.x.x.x in the crypto ACL.

Let me know, if this helps.

Thanks

Rizwan Rafeek

Hello Rizwan,

What it will be my remote-local that my partner will configure as my domain encryptions, is it will be my ASA outside interface too, or another virtual public ip address

Thanks for the help.

Ramadan Kareem

Hi Rizwan,

It worked, got the hint from policy static NAT.

Thank you.

Hello Rizwan,

Can i use another Static nat policy pointing to same target server

like 

local-private-ip----> Remote-encryption domain ----- interface outside ---- public natted ip addresss

can i use the same static nat policy rule 

local-private-ip----> second -Remote-encryption domain ----- interface outside ---- public natted second ip addresss

Hi Ahmed,

"Can i use another Static nat policy pointing to same target server"

You mean your remote destination or source address i.e. 192.168.45.5?

As long as below two red-highlighted IP-addreses do not change, you can use same acl (NET1) to change remote destination address.  As you know two red-highlighted IP-addresses have one-to-one relation.

access-list NET1 permit ip host 192.168.45.5 host 72.x.x.x 

static (inside,outside) 59.x.x.x access-list NET1

Hope that answers your question.

Thanks

Rizwan Rafeek

I just want to add more clarity to my answer below.  You can keep adding an additional remote destinations as shown below.

access-list NET1 permit ip host 192.168.45.5 host 72.x.x.x 

access-list NET1 permit ip host 192.168.45.5 host 102.x.x.x 

access-list NET1 permit ip host 192.168.45.5 host 202.x.x.x 

access-list NET1 permit ip host 192.168.45.5 host 22.x.x.x 

access-list NET1 permit ip host 192.168.45.5 host 52.x.x.x 

access-list NET1 permit ip host 192.168.45.5 host 62.x.x.x 

Rizwan,

Thanks for the clarification , but what I mean is that ,

My local Webserver 192.168.45.5 will remain the same, but Our partner Encryption domains will be different  i.e

Partner Location 1

Encryption domain 72.x.x.1

Partner Location 2

Encryption domain 72.x.x.2

MY Local Webserver 192.168.45.5

My point is that can i use two different static nat policies for the local webser as attached below