We need to setup a site to site VPN with a customer who will not allow us to use RFC1918 addresses for our end point source / destinations.
As a result we have been asked to NAT these devices into our globally assigned Internet block.
My question is, will this work ?
Our Cisco ASA's terminate the VPNs and connect directly onto the Internet using a /27 block provided by our ISP.
If we NAT the inside devices that need to be protected over the VPN into this block and then included these NAT'd addresses in the crypto map ACL's will this work ?
Thanks in advance.
Yes it will work and how you have described it is exactly how you set it up - eg.
inside network 192.168.5.0/24
Natted Public address - 184.108.40.206
remote network - 172.16.5.0/24
your crypto map access-list would read
access-list vpntraffic permit ip host 220.127.116.11 172.16.5.0 255.255.255.0