Patrick,

looking at the issue again, I think you need to allow the other gateway, 10.6.31.254, to be NATted. Can you add the following (in bold) to your access list ? This should at the very least allow a response when you ping that gateway from the ASA.

ip access-list extended NAT
remark ########################################
permit ip host 10.6.31.254 192.168.4.0 0.0.0.255
deny ip 10.6.0.0 0.0.255.255 192.168.4.0 0.0.0.255
permit ip 10.6.0.0 0.0.255.255 any

Hi gpauwen,

Thank you for helping out. I tried your permit rule but it did not work. I am using the extended NAT as a nonat list only for the dialer0 in order to nat traffic from inside to internet; in case our service engineer needs internet access onsite. All other traffic is simple routed from the VPN to the inside subnet at the customer premises and back.  I think the problem is with the inside and outside nat interfaces. Maybe it isnt possible with Cisco to do this on an interface already acting as inside nat?

Would a loopback device acting as outside nat be an option; maybe overlapping subnets or using a completely different IP range through the VPN tunnel.

For more information on what i am trying to accomplish please see attachment with network drawing.

Patrick,

I am going to lab this in GNS. Will get back with you...

Hello Patrick,

i recreated your setup, and the only thing I changed was to add a default route on the Gateway router (the one with IP address 10.6.31.254), pointing to 10.6.24.1:

ip route 0.0.0.0 0.0.0.0 10.6.24.1

Without that route, I could not get from 10.6.24.102 to the ASA.

Your NAT setup is actually fine. You deny interesting traffic that should go through the VPN, and allow all other traffic to be NATted. Your access list 100 defines the same interesting traffic that is denied in the NAT access list. This all looks ok.

ip access-list extended NAT
deny ip 10.6.0.0 0.0.255.255 192.168.4.0 0.0.0.255 
permit ip 10.6.0.0 0.0.255.255 any
!
access-list 100 permit ip 10.6.0.0 0.0.255.255 192.168.4.0 0.0.0.255

The 'Unknown Router', is that under your control ? Can you try to ping the ASA from that router ? 

Hi gpauwen,

No the router is not under my control. There are in fact many more routers

present in this network. Only 10.6.24.1 is allowed upwards on the customer

network. That's exactly the reason why i am trying to nat the traffic going to the customer network with the address of the vlan1 device. Only after i use the statement:

'ip nat outside source static 192.168.4.254 10.6.24.1'

the traffic gets natted but then i am left with the problem that packets returning to 10.6.24.1 are not unnatted to 192.168.4.254 and returned into the VPN.

I am currently looking into examples where overlapping networks are present and double natting is applied. Perhaps i can use that method also in this scenario.

Patrick,

I admit I am staring myself blind on your setup, so I might be saying stupid things. 

What happens when you reverse the NAT, that is, use both:

ip nat outside source static 192.168.4.254 10.6.24.1

and

ip nat inside source static 10.6.24.1 192.168.4.254

In addition, is it possible to ask the admin of the other router to add:

ip route 10.6.24.0 0.0.31.255 10.6.24.1 

?

Hi gpauwen,

I didn't had the time to work on this project until today. I really can't get the client to update all his routers. I tried a different approach using nvi for dynamicly natting outside to inside traffic. It is working now, but this configuration is not 100% correct. If you would have used an outside ethernet interface with a host connected using 192.168.4.254 as its ip address the traffic initiated from the inside to this host fails. This is because traffic initiated from the inside to the outside is still unnatted and when the host 192.168.4.254 answers, it's answer is again natted to the inside interface and thus the response expected by the inside host is received with a different source address and dropped.

So for now, the added config below makes it work for my specific situation, but you would still need to make some changes in case you would like to route+nat traffic between different interfaces (networks):

--Working additional config----

conf t

int vlan 1

! activating nvi

ip nat enable

!

int dialer0

! activating nnvi

ip nat enable

!

ip nat pool NAT-POOL-OUT-TO-IN-NAT 10.6.24.1 10.6.24.1 netmask 255.255.0.0
ip nat source list 110 interface Vlan1 overload
ip nat inside source route-map MAP-A pool NAT-POOL-OUT-TO-IN-NAT reversible

!

access-list 110 permit ip host 192.168.4.254 any

!

route-map MAP-A permit 10
 match ip address 110
!