have a vpn to another company and they are using the same addressing as us so I need to do some double natting. Not sure of how to do this for a vpn. Basically I want anything exiting from site A subnet of 10.1.1.0/24 to get translated to 10.6.7.1. Also anything going from a specific address in site A (10.1.1.67) gets translated to 10.6.7.2.
You need policy-based NAT for your VPN connections, something like:-
access-list inside_policy_nat extended permit ip host 10.1.1.67 <>
static (inside,outside) 10.6.7.2 access-list inside_policy_nat
access-list no-nat extended permit ip host 10.6.7.2 <>
access-list nat_vpn_company_x extended permit ip host 10.6.7.2 <>
crypto map <> <> match address nat_vpn_company_x
The above will:-
1) NAT the internal src IP from 10.1.1.67 to 10.6.7.2 when the destination is the remote company ip subnet
2) Once translated - will not re-NAT it again
3) Define the NAT'ted IP address as the interesting src IP to bring the tunnel UP and of course is used in the verification of the IPSEC encryption domains.