I have a problem.
I would like to perform the following on one ASA.
I have users that need to get to our company remotely so I have set up Remote access VPN for them and this works fine.
Now we have a customer that requires these people to access thier equipment for remote diagnostics.
This company has provided us with an IP address that we must use when trying to reach thier network so I will have to NAT(PAT) our VPN users IP addresses to the single IP from our customer. The link to this customer (IPSec) runs from the SAME ASA as the Remote VPN users.
so to give a short description of what I am trying to do - here it is again
Remote user -> Outside interface -> NAT/PAT -> Outside interface -> IPSec tunnel to customer.
Is this possible ? I have not managed to configure this in any way shape or form. Although I do have other IPSec tunnels ending on the ASA that do not use NATting and these are reachable for the remote users - so basically my problem is with the NAT/PAT bit....
I have also thought of doing this over 2 ASA's. check my diagram out and tell me what you think....
You would need a dynamic NAT for VPN client IP's to the HQ IP subnet.
You will also need a no-nat on that as well - and lastly you will need to add the NAT address of the VPN IP subnet to the encryption domains to the HQ VPN, they also need the NAT address on the remote end.
Have you tried:-
1) Same security interface routing - not required (viewed the diagram)
2) Policy-bases NAT - src/dst for VPN?, this will work.