We are having a Static NAT configured on 1800 router for two hosts. Viz -a.b.c.d and p.q.r.s. for Public_Addr1, and Public_addr2. With this we are able to access these hosts from internet without any problem. Currently no firewall feature is not used, so WAN to LAN access is allowed.
Next, we plant to set up a setup a site-to-site VPN for these two hosts with remote site hosts. Now if we configure this site-to-site VPN, then is there a possibility that our static NAT for these two hosts would not work from all the places? This will lead us to loosing the connectivity to those hosts except from the VPN locations.
Another problem is second location can access our hosts a.b.c.d and p.q.r.s not by these private address but some totally different private address
say a1.b1.c1.d1 and p1.q1.r1.s1. So if these hosts tries to communicate with "Other side VPN" hosts, then we need to NAT these first ( a1.b1.c1.d1, p1.q1.r1.s1 ) and then send it for encryption.
Here are the cases
Case 1. If host a.b.c.d tries to access internet --> Then source NAT it to Public_Addr1 and then send to WAN interface of router
Case 2. If host a.b.c.d tries to access "Other side VPN" host then source NAT it with a1.b1.c1.d1 and then send the packet to Encryption Process
Where it will be encrypted in tunnel mode and will be sent to the WAN link with other end VPN tunnel public address as destination address.
If , [[ a.b.c.d ( Src) --and Other_Side_VPN (Dest) ] ] ----> then NAT source address [ [ a1.b1.c1.d1 ( Src)-- and Other_Side_VPN (Dest)] ] ---
--------> then encrypt this packet ------> wrap it with ESP header to Other_end_VPN_Public address ---> WAN link.
Access-list in crypto map will have source address as a1.b1.c1.d1 and target address as "other_Side_VPN hosts".
Can it be done , do we have something like nat (0) in firewall which excludes the NAT process? But here in our case it is a two step process
Changing the soure IP to another source IP and then encrypting the packet.
Please share the experience.