we have 2 building connected with a bridge wireless that transport different vlans.
We need now to dismiss this bridge and we will connect this networks through ipsec vpn site to site.
We don't want to change the ip addresses so I'm wondering if it's possible to apply a nat before encrypt the traffic for each vlan?
Is it possible?
Yes, definitely can.
Couldn't find a sample configuration that NAT both ends, but here is example for your reference:
Site A LAN: 192.168.1.0/24 --> NAT to 192.168.20.0/24
Site B LAN: 192.168.1.0/24 --> NAT to 192.168.40.0/24
Site A ASA:
static (inside,outside) 192.168.20.0 192.168.1.0 netmask 255.255.255.0
access-list cryptoAB permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0
Site B ASA:
static (inside,outside) 192.168.40.0 192.168.1.0 netmask 255.255.255.0
access-list cryptoAB permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0
Hope that helps.