ASA# show ipsec sa peer 2.2.2.3
peer address: 2.2.2.3
    Crypto map tag: MAP-VPN, seq num: 72, local addr: 6.6.6.2

      access-list VOXENT-CRYPTOMAP-17 extended permit ip 172.31.174.0 255.255.255.0 172.31.255.128 255.255.255.128
      local ident (addr/mask/prot/port): (172.31.174.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.31.255.128/255.255.255.128/0/0)
      current_peer: 2.2.2.3

      #pkts encaps: 6836, #pkts encrypt: 6836, #pkts digest: 6836
      #pkts decaps: 6836, #pkts decrypt: 6836, #pkts verify: 6836
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6836, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 6.6.6.2, remote crypto endpt.: 2.2.2.3

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8CDA73C1
      current inbound spi : 7A27569C

    inbound esp sas:
      spi: 0x7A27569C (2049398428)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-VPN
         sa timing: remaining key lifetime (kB/sec): (3914792/621)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x8CDA73C1 (2363126721)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-VPN
         sa timing: remaining key lifetime (kB/sec): (3914792/620)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: MAP-VPN, seq num: 72, local addr: 6.6.6.2

      access-list VOXENT-CRYPTOMAP-17 extended permit ip 172.31.175.0 255.255.255.0 172.31.255.128 255.255.255.128
      local ident (addr/mask/prot/port): (172.31.175.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.31.255.128/255.255.255.128/0/0)
      current_peer: 2.2.2.3

      #pkts encaps: 12896, #pkts encrypt: 12896, #pkts digest: 12896
      #pkts decaps: 12896, #pkts decrypt: 12896, #pkts verify: 12896
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 12896, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 6.6.6.2, remote crypto endpt.: 2.2.2.3

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 2E98BB05
      current inbound spi : 42F157C5

    inbound esp sas:
      spi: 0x42F157C5 (1123112901)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-VPN
         sa timing: remaining key lifetime (kB/sec): (3914617/615)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x2E98BB05 (781761285)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-VPN
         sa timing: remaining key lifetime (kB/sec): (3914617/615)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: MAP-DYN, seq num: 20, local addr: 6.6.6.2

      local ident (addr/mask/prot/port): (172.31.178.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.31.255.128/255.255.255.128/0/0)
      current_peer: 2.2.2.3

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 858, #pkts decrypt: 858, #pkts verify: 858
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 6.6.6.2, remote crypto endpt.: 2.2.2.3

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 0C6A6AB8
      current inbound spi : 9B265EB9

    inbound esp sas:
      spi: 0x9B265EB9 (2602983097)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-DYN
         sa timing: remaining key lifetime (kB/sec): (3914936/675)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0C6A6AB8 (208300728)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 60235776, crypto-map: MAP-DYN
         sa timing: remaining key lifetime (kB/sec): (3915000/675)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

So I would remove this...

global (outside) 11 172.31.174.1-172.31.174.254 netmask 255.255.255.0
global (outside) 12 172.31.175.1-172.31.175.254 netmask 255.255.255.0
global (outside) 13 172.31.178.1-172.31.178.254 netmask 255.255.255.0
global (outside) 14 172.31.176.1-172.31.176.254 netmask 255.255.255.0
global (outside) 15 172.31.177.1-172.31.177.254 netmask 255.255.255.0

And keep this...

access-list FAR_STATIC_NAT_11 extended permit ip 10.30.1.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_12 extended permit ip 10.30.16.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_13 extended permit ip 10.30.3.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_14 extended permit ip 10.30.12.0 255.255.255.0 172.31.255.128 255.255.255.128
access-list FAR_STATIC_NAT_15 extended permit ip 10.30.7.0 255.255.255.0 172.31.255.128 255.255.255.128

static (inside,outside) 172.31.174.0  access-list FAR_STATIC_NAT_11
static (inside,outside) 172.31.175.0  access-list FAR_STATIC_NAT_12
static (inside,outside) 172.31.178.0  access-list FAR_STATIC_NAT_13
static (inside,outside) 172.31.176.0  access-list FAR_STATIC_NAT_14
static (inside,outside) 172.31.177.0  access-list FAR_STATIC_NAT_15

Hi Mike,

So, it is being terminated on the correct crypto instance 72.

Crypto map tag: MAP-VPN, seq num: 72, local addr: 6.6.6.2

The reason you don't see other other ACL entries on the IPSec SA, is because, that particular flow of data flow was not initiated by users who are behind those private-ip ranges.

thanks

I have continuous pings from all the sites.

Let's start from scratch and I will let you know what I need to accomplish.

I have a main site with other sites that connect to the main site through a private MPLS.

All traffic from the remote sites and the main site will be going across this one tunnel and must be NATed as follows.

Remember the ASA is running 8.2.5 software.

The main site subnet is 172.30.1.0/24

Site A subnet is 172.30.16.0/24

Site B subnet is 172.30.3.0/24

These subnets need to be NATed to the following so they look like they are originating from these subnets

172.30.1.0/24 NAT to 172.31.174.0/24

172.30.16.0/24 NAT to 172.31.175.0/24

172.30.3.0/24 NAT to 172.31.178.0/4

So this will happen.....

172.30.1.111 will NAT to and look like on the other side as 172.31.174.111

so the last octet is preserved.

this traffic only needs to be NATed if the destination subnet is 172.31.255.128/25

How would you configure this.

Local outside IP address is 1.1.1.1

Local inside IP address is 172.30.1.254

The peer IP address is 2.2.2.2

Mike

First make sure your ASA has the route to subnets coming from MPLS cloud.

Your static-policy-nat is fine, unless remote-tunnel subnet overlap with another remote-tunnel of yours and if that is not the case.

You may try this.  I normally use a dynamic-nat as shown below, when traffic is only initiate from my side not from remote-tunnel side.

global (outside) 11 172.31.174.1 netmask 255.255.255.255
nat (inside) 11 access-list FAR_STATIC_NAT_11

global (outside) 12 172.31.175.1 netmask 255.255.255.255
nat (inside) 12 access-list FAR_STATIC_NAT_12

global (outside) 13 172.31.178.1 netmask 255.255.255.255
nat (inside) 13 access-list FAR_STATIC_NAT_13

global (outside) 14 172.31.176.1 netmask 255.255.255.255
nat (inside) 14 access-list FAR_STATIC_NAT_14

global (outside) 15 172.31.177.1 netmask 255.255.255.255
nat (inside) 15 access-list FAR_STATIC_NAT_15

Let me know.

thanks

That will translate ip address lets say in the subnet 172.30.7.0/24 to just one IP address 172.31.177.1 that is not what I need...

172.30.7.101 should NAT to 172.31.177.101

172.30.7.23 should NAT to 172.31.177.23

172.30.7.12 should NAT to 172.31.177.12

and so on for all the Subnets