Problem with Destination NAT or IPFW

Similar Messages

• Problem with no nat after upgrade version

  Hello Guys...
  Im having problems with nat after upgrade....
  source = 10.11.7.14
  destination = 10.0.32.10
  the next hop for 10.0.32/24 is 10.0.5.1, by inside interface. My firewall Pings this 10.0.5.1. When I change the router to doesnt pass by firewall, the connection works from source to destination, works!
  In log, im receiving this message:
  6
  Nov 23 2012
  15:24:54
  302303
  spbwts02_0303
  55517
  10.0.32.10
  80
  Built TCP state-bypass connection 249015 from dmz:spbwts02_0303/55517 (spbwts02_0303/55517) to inside:10.0.32.10/80 (10.0.32.10 /80)
  6
  Nov 23 2012
  15:27:29
  302304
  spbwts02_0303
  51123
  10.0.32.10
  80
  Teardown TCP state-bypass connection 242785 from dmz:spbwts02_0303/51123 to inside:10.0.32.10/80 duration 1:00:10 bytes 0 Connection timeout
  In 8.2 I had this NAT:
  DMZ interface:
  Exempt     10.0.32.0/24     10.11.7.0/24     (outbound)
  I have a bypass for those networks and services. I guess I dont need bypass because the packet comes from dmz and goes to inside, right? Anyway, I removed bypass and nothing happen!
  And now, in 8.4(5) I have:
  DMZ     Inside     obj-10.11.7.0/24     obj-10.0.32.0/24     any      original     original    
  What can be my problem?

  route, look:
  Before:
  route inside 10.0.32.0 255.255.255.0 10.11.5.1 1
  Now and working:
  route inside 10.0.32.0 255.255.255.0 10.11.2.3 1
  I dont have an interface in the 10.11.5.0 network. I guess when someone configured the route, put this 10.11.5.1 as gateway, but I dont know how it was working.
  Now, I changed to 10.11.2.3 and OK. My firewall has an interface in 10.11.2.0 newtork.
  But the bypass is a mistery to me yet!

• Problem with destination mappings

  Hello
  I'm trying to map External Service with Destination in CAF Configuration. In most sources I've fount such path:
  1. login to CAF run time configuration.
  2. click on "Aministration Tools" link.
  3. click on "External Service Configuration" link.
  4. click on "Service Registry" link.
  And then further operations.
  The problem is that my instalation of CAF is different (probably 7.1.1): in <host><port>/caf there is no Administration Tools, instead there is the  information:
  Note: Administrative Tools have been moved to NetWeaver Administrator (NWA).
  Authorization Tool can be found in NWA under Configuration Management/Security.
  External Service Configurator can be found in NWA under Configuration Management/Infrastructure/Destinations or under SOA Management/Technical Configuration/Destination Template Management.
  So I've found this tool at  Configuration Management/Infrastructure/Destinations. But there is no "Service Registry" link. No link at all - just two panes where left ("External Services") is empty and right ("Destinations") contains destination as I've configured it.
  The question is: how to get left pane filled with external services in order to map service with destination? Is it some problem with my local ESR or what?
  Any help will be appreciated.
  Regards
  Maciej
  Edit: It seems, that there is no input in my local SR. But when I try to publish WSDL there I get WSDL validation error.

  Hi Alexander,
  I am facing the same problem ("left hand area empty in CAF Configuration").
  I followed the blog "Real World Composites" from Benny Schaich.
  /people/benny.schaich-lebek/blog/2008/02/01/real-world-composites-iii--coding
  This is what I did (as described)
  1. imported external Web Service into NWDS CAF application (in fact from the SAP ES Workplace system HU2)
  2. created a new CAF application service which wraps and simplifies the first one
  3. deployed to my 7.1.1 machine
  And now there is the same issue as described.
  The final step "Mapping CAF Service on Server" can not be carried out. As the list of "external services" is empty.
  So my question:
  What do you mean by "imported external services into NWDS and publish as Web Service"?
  Something different as done in 1. - 3.?
  Best regards
  Ingos
  Edited by: Ingo Biermann on Jul 21, 2009 4:15 PM

• Cisco asa traffic flow with destination nat

  Hi Folks,
                     Can anybody comment on the below.
  1.  in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
  2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
  regards
  Rajesh

  The ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
  The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
  That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from.  On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
  The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
  The short answer:
  The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface. 
       If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
       If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
  The longer answer:
  For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
  Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
       Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
  Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
       Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
     -or-
       Step 2 check B:  Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
       If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
  Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
  Now lets refer to the specific example you outlined in your post; you said:
  route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
  route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
  nat (LAN,ISP-1) after-auto source dynamic any interface
  nat (LAN,ISP-2) after-auto source dynamic any interface
  Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
  The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
  It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
  It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
  Message was edited by: Jay Johnston

• WRT1900AC Problem With open NAT with multiple Xbox One's

  I am starting a new thread for some possible help with this. I have just recently replaced my r7000 with the wrt1900ac router and for the life of me cannot get my 2 xbox ones in the house to have open nat. Only one of them will show open NAT. Anyone get this to work and work 100% of the time? I have reseverved the IP's. I tried port forwarding.. I tried putting one in the dmz. I have tried port triggering. None of it works. One will be open the other stays at moderate. I have got it in strict before as well. I have upnp on. I cannot figure out what is wrong with it. Ideas? Also It seems my router reboot on its own and turning the LED's off after a reboot the wireless led's come on. Seems like a bug.

  Hewligun, found this on another Linksys thread, it appears that Linkysy may need to update their UPnP and all should be good. Original thread:Packet Dropping thread  Excerpt from thread: Re: WRT1900AC packet dropping[ New ] Options  ‎05-01-2014 06:16 PM  I did some research. Microsoft documents that port forwarding will only work for the one xBox in the forwarding rule. In the same document it mentions that the only way to have two xBoxes running at the same location behind a router is with UPnP. The UPnP protocol has be the newest version in order for it to work. I guess the WRT1900AC is running a later version of UPnP in which case a firmware upgrade will solve this. Keep in mind that Microsoft xBox Live itself is having documented issues as well so we can't really know for sure if the UPnP on the WRT1900 is the newer version or not at this point. Look at the affect services in the current xBox Live status: Affected platforms:Xbox Onexbox one outage;Social and Gaming,Xbox 360xbox 360 outage;Social and Gaming, Affected services:Accessing all game featuresJoining other Xbox Live members in online gamesPosting game performance or viewing the performance of other Xbox Live members https://support.xbox.com/en-CA/xbox-live-status
  Please remember to Kudo those that help you.
  Belkin\Linksys
  Communities Technical Support

• Problem with destination org of requisition

  Hi everybody,
  I have a few trouble when i use requisition in centralized procurement. Please help me to cover it
  For example i have 2 ledger:
  Ledger A -> OU A1 -> Org A1.1, Org A1.2, Org A1.3
  Ledger B -> OU B1 -> Org B1.1
  Can I raise a requisition in OU A1, but destionation org is Org B1.1 (not same ledger) ? When create requisition in OU A1, i just can choose orgs of OU A1 in LOV.
  Please give me some advices.
  thanks so much,

  Hi,
  I think requisitions should be created in the requesting org... supposed you want the deliver to org is orgs of OU B1, then you create your requisitions in B1.
  When creating PO, use the buyer work center to create PO in OU A1, but from requisitions made in OU B1, assuming you have set up your intercompany transaction flows.
  Thanks

• Problems with the new NAT in ASA 5510 (8.4)

  Hi together,
  i have some problems with the NAT statements in ASA Version 8.4.
  What i want is to translate the internal address of a server to the external address with a NAT rule.
  The ASA has only one WAN connection (named outside)
  The internal server has the ip address 192.168.0.221 (as example) and i want to translate all incoming traffic on port 3389 to the Server (192.168.0.221).
  This is only for training, i dont want to forward a 3389 port into the BAD in a productive Network
  first i create the network object for the inside server (192.168.0.221)
  object network Network_Obj_RDP
  host 192.168.0.221
  After that i create the access rule for incoming traffic on outside interface:
  access-list outside_access_in extended permit ip any any log debugging
  Next i create a access rule for the inside-prod network to allow the traffic to the RDP Server:
  access-list inside-prod_access_in extended permit object RDP interface outside object Network_Obj_RDP
  Now i create the NAT rule in the network object (Network_Obj_RDP):  
  object network Network_Obj_RDP
  nat (inside-prod,outside) static interface service tcp 3389 3389
  But if i want to connect via 3389 on the outside interface i see in the syslog this entry:
  Built inbound TCP connection 23248 for outside:80.187.107.132/7445 (80.187.107.132/7445) to inside-prod:192.168.0.221/3389 (External IP/3389)
  After a while the connection will be teardown with this message:
  Teardown TCP connection 23289 for outside:80.187.107.132/2294 to inside-prod:192.168.0.221/3389 duration 0:00:30 bytes 0 SYN Timeout
  It looks like that the acl works fine, but the NAT translation are wrong...
  perhaps somebody has a idea to fix this
  Looking forward and hope for help...
  Many thanks
  Greetings

  Hi Jouni,
  this is the correct Packet Tracer output i think:
  packet-tracer input inside-prod tcp 192.168.0.220 3389 8.8.8.8 4567
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group inside-prod_access_in in interface inside-prod
  access-list inside-prod_access_in extended permit ip object Network_Obj-Productiv any log debugging
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  object network Network_Obj_RDP
  nat (inside-prod,outside) static interface service tcp 3389 3389
  Additional Information:
  Static translate 192.168.0.220/3389 to 80.146.252.162/3389
  Phase: 6
  Type: USER-STATISTICS
  Subtype: user-statistics
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: USER-STATISTICS
  Subtype: user-statistics
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 825, packet dispatched to next module
  Result:      
  input-interface: inside-prod
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow
  That looks preety fine, but the way back isn´t right:
  packet-tracer input outside tcp 8.8.8.8 4567 192.168.0.220 3389
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.0.0     255.255.255.0   inside-prod
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside-in in interface outside
  access-list outside-in extended permit tcp any object Network_Obj_RDP eq 3389 log debugging
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  object network Network_Obj_RDP
  nat (inside-prod,outside) static interface service tcp 3389 3389
  Additional Information:
  Result:      
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside-prod
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  I have no idea...

• How to do destination NAT in a 2600 router with IOS 12.3?

  Hi All
  I have a 2600 router with two LAN interfaces which I am using for a PoC and has the following settings:
  FE 0/0 - 10.0.0.1/24 - client LAN - inside 
  FE 0/1 - 10.1.1.1/24 - server LAN - outside 
  The direction of the flows are from the clients to the servers. What I would like to achieve is when clients accessing the web server 10.1.1.10, this to be replaced by 10.1.1.100.
  I have tried the above a few times but doesn't work. Is the above possible? And If so please provide me with a sample config.
  Many Thanks
  [email protected]  

  Yes, you can do this.  You don't need destination NAT.  Source NAT translations work both ways.  This should work:
  ip nat inside source static tcp 10.1.1.100 80 10.1.1.10 80
  int fa 0/0
  ip nat inside
  int fa 0/1
  ip nat outside
  The bigger question is why you'd want to.  Just because you CAN do something doesn't mean you SHOULD.  Unless you have the 10.1.1.0 network subnetted or some sort of firewall/blocking in place, both IPs should be reachable by the hosts.  Why not just have them go directly to 10.1.1.100 instead of going to 10.1.1.10?  If there's a firewall or similar blocking 10.1.1.100, why not adjust your firewall settings instead?  You could have a valid reason for doing this but I can't think of very many scenarios off the top of my head where this would make sense.  If you can post more details on what you're trying to accomplish, you might get better advice on a better way to solve the problem.

• Problem with Crystal Report Job Server Destinations

  I am using Crystal Reports XI Server and I am having problems with scheduling.  I believe that the problem is that I have not enabled any destinations under the Crystal Reports Job Server.  The following is an observation list:
  -Enabled and set up all destinations for other servers, such as the Destination Server.
  -Have been able to use Infoview to directly email, inbox, and file save reports in different formats (I believe the Destination Server controls this, right?)
  -All servers are enabled in the Central Configuration Manager
  -Have been able to go into the Crystal Reports Job Server within the CMC, but I DO NOT FIND ANY destinations to enable (why is this?)
  -Have not been able to schedule an instance of any report (neither email, nor inbox, nor file, ...nothing)
  Could somebody please help me with this?  Is this a limitation to the Crystal Reports XI Server vs the Enterprise edition?  Is there something else I am missing?  I have never been able to successfully schedule a report.

  Thank you for the input, but I have not yet solved my problem.  Please allow me to provide some additional information which may give more hints:
  I have Crystal Reports XI Server R2 installed as 5 named user license (version that comes with developer)
  The following servers are enabled in CMC (which is all of them)
  -Input.DomainNameSQL
  -DomainNameSQL.cacheserver
  -DomainNameSQL.cms
  -DomainNameSQL.destinationjobserver (has all destinations enabled)
  -DomainNameSQL.eventserver
  -DomainNameSQL.ListofValuesJobServer (no destination tab)
  -DomainNameSQL.pageserver
  -DomainNameSQL.programjobserver (has all destinations enabled)
  -DomainNameSQL.RAS
  -DomainNameSQL.reportjobserver (has destinations tab, but there are no destination entries to enable! Object type is: CrystalEnterprise.Report and detail: IDL:omg.org/CORBA/UserException:1.0
  . Details: %2.'
  These are the ONLY two event IDs that appear after I schedule the report instance.  No other events occur.
  Are there any other logs that I can check?  How do I look up what event ID 45387 and 45385 are?
  Thanks!

• PROBLEM WITH RFC DESTINATION

  Hi GURU,
  I have a problem with the record of RFC destination.
  When i created RFC destination TCP/IP when i made the tests, it`s ok.
  But when i used this rfc destination in a  function of ABAP. I have an error. The error is:
  RfcExecProgram'#Win32 error 2: The system cannot find the file speci
  Can you help me??
  What should I do to run properly?
  Thank for all.
  regards,
  RAFA

  Hi,
  Even I am also new to SAP , but I have little knowledge about RFC, try to create your RFC of type 3 (ABAP type ), then if you use this RFC , I hope no problem will come if the authorization details and IP /Host name of the destination system are perfect.
  also Please suggest me why ( when ) we use TCP /IP type of RFCs

• Open NAT problems with Xbox One .

  When I first got my 1900ac I used Media Priortization to get an open NAT for Call of Duty Advanced Warfare on my Xbox One ; prioritizing the Xbox . It worked fine for about 6 months until I changed cable/net provider to Nextech in Ks. This company uses the 1900ac to hook up it's system for all it's customers ( since I already had one they're using mine ). Unfortunately I'm unable to get an open NAT in this game anymore ; I've tried just about everything , NAT forwarding , triggering , Media Prioritization . Nextech support & Xbox Live support , useless . Tried Portforward . com , nothing . Forwarding port 53 cuts off net connection & doing the static ip change for Xbox didn't help . Almost everything I've looked at seems out of date & I'm at my wits end . It would seem by now Linksys should have solutions available , any ideas ?

  Thank you chin_pamz13 for your response . I tried to check if my modem had a public or private ip address but I'm not sure how to do that ; I've read about double NAT's elsewhere . Regardless , I think I've finally found a solution that seems to be working so far . I went to the website " tech - recipes . com " & found an article , " Xbox One open NAT " by Aaron St. Clair . I tried his first suggestion about port triggering , with extra ports I had'nt seen before . That did not work for me so I followed his instructions for putting the Xbox in the DMZ & it's working ! I think my problems from before were the result of improperly setting up the static ip address for my router & Xbox . Previous instructions had me changing the ip in the console along with the router ; Aaron said not to do so in the Xbox , let the router do the work it's supposed to do & make sure the settings in the console are on automatic . In the router at the DMZ , I was'nt sure how to proceed , but at the bottom is a section labeled DHCP reservations list ; clicked on that , saw XboxOne , clicked on that & it filled out the MAC address above for me . Then I went to the Xbox network settings , advanced settings & clicked " automatic " at ip address , subnet & DNS . I checked mutiplayer connections & did the " hold bumper & trigger buttons " trick & finally got an open NAT ; fired up CoD Advanced Warfare & got the open NAT there also . I may have screwed up when I did the port triggering but since the DMZ fix seems to work I'm going to leave things alone . Hope this helps others with open NAT problems .

• Problem with passive mode FTP server and NAT

  Hi,
  I have a problem with Passive mode FTP and NAT.
  I am trying to run both an FTP server and sharing the Internet connection via NAT. I have by the way specified the passive ports to use in ftpaccess (65000-65534). Everything works fine until someone tries to connect via Passive mode. I have tracked the problem down to the firewall and the rule that handles NAT.
  Firewall rule config without NAT:
  00001 allow udp from any 626 to any dst-port 626
  01000 allow ip from any to any via lo0
  12300 allow ip from any to any
  65535 allow ip from any to any
  Firewall rule config with NAT
  00001 allow udp from any 626 to any dst-port 626
  00010 divert 8668 ip from any to any via en1
  01000 allow ip from any to any via lo0
  12300 allow ip from any to any
  65535 allow ip from any to any
  So, passive ports do not work when NAT is on. If I turn it off, Passive ftp works like a charm.
  But how do I solve my problem? I have in my quest for the answer stumbled upon "-punch_fw" but do not know how to use it or if it even helps me at all?
  Best regards,
  Peter
  B&W G3 Mac OS X (10.4.5)

  Media/Lacrosse-1-tiny.3gp
  I can't find the file on your server.
  They may also need to edit the .htaccess file to allow the .3gp file extension be used. Call them.

• Massive problem with remote destination

  hello all,
  we have massive problems with our remote destinations.
  after i create the remote destination profile and added the line, i create the remote destination for my mobile phone. 
  all ok so. but if im associate my mobile phone with the line by choosing Line Association i´m no able to reach many numbers in my company anymore.
  there is no ringing tone. there is nothing and after 20-30 seconds i got an busy tone.
  if i delete the Line Association i can reach the number normally.
  Perhaps you got any idea . I dont got any anymore

  finally we found the problem
  it was at the cucm service parameters.
  we changed " machting caller id with remote destination " to "partial match" after that all is working fine.

• Destination NAT with a specific origin ASA 8.2

  Hello Everyone,
  I need configure destination NAT in my ASA 8.2 version only for a specific origin.
  Today, the network 10.84.25.0/24 access the web server with IP 172.17.3.150, i need nat the IP 172.17.3.150 to 10.96.202.10 only for
  10.84.25.0/24 network.
  How i can configure this in  8.2 version?
  Tks!

  Hi,
  I am not quite sure how the setup is on your ASA currently but the following configuration option came to mind
  Interfaces "dmz" and "inside"
  10.84.25.0/24 = "inside" network
  172.17.3.150 = "dmz" server real IP
  10.96.202.10 = "dmz" server mapped IP
  access-list DMZ-SERVER-POLICYNAT remark Policy NAT for DMZ Server
  access-list DMZ-SERVER-POLICYNAT permit ip host 172.17.3.150 10.84.25.0 255.255.255.0
  static (dmz,inside) 10.96.202.10 access-list DMZ-SERVER-POLICYNAT
  Hope this helps
  - Jouni

• L2L VPN with source and destination NAT

  Hello,
  i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
  The diagram is
  Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
  The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
  The Customer connects the following way
  Source: 198.1.1.1
  Destination: 192.168.1.1
  It gets to the outside ASA interface which should translate the packets to:
  Source: 10.110.110.1
  Destination: 10.120.110.1
  On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
  I did the following configuration which I am not able to test but tomorrow during the migration
  object network obj-198.1.1.1
  host 198.1.1.1
  object network obj-198.1.1.1
  nat (outside,inside) dynamic 10.110.110.1
  For the inside to outside NAT depending on the destination:
  object network Real-IP
    host 10.120.110.1
  object-group network PE-VPN-src
  network-object host 198.1.1.1
  object network Destination-NAT
  host 192.168.1.1
  nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
  Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
  object network obj-192.168.1.1
  host 192.168.1.1
  object network obj-192.168.1.1
  nat (outside,inside) dynamic 10.120.110.1

  Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
  object network obj-10.10.10.243
    host 10.10.10.243
  object network obj-77.x.x.24
    host 77.x.x.24
  object network obj-10.10.10.251
    host 10.10.10.251
  object network obj-pcA
    host 86.x.x.253
  nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
  Hope that helps.