I have one query, currently I have configured 10 servers PAT against one public IP (x.x.x.x) in ASA. Now I have to configure few VPN tunnels with the clients and I want that tunnel encrytion domain IP as x.x.x.x public IP, which is natted against those 10 IP's. Is it possible? if yes, How?
Traffic which will go out from the tunnels, would be from any of the those 10 servers to outside clients.
I mean that usually you don't need to NAT the traffic that goes through the tunnel because you don't need those addresses to be public.
If you some reason you do need NAT/PAT, then you can configure it like that.
Here's an example:
Site A Local Network 10.1.1.0/24
Site A PAT address: 18.104.22.168
Site B: Local Network: 10.2.2.0/24
Site B: Public IP: 22.214.171.124
So, normally you avoid NATing the VPN traffic and having communication between both sites from 10.1.1.0/24 to 10.2.2.0/24
In this case if you want to PAT the traffic, then you do the following:
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 interface
access-list VPN permit ip host 126.96.36.199 10.2.2.0 255.255.255.0 --> This is the crypto ACL
You need to make sure there's no nat 0 for that traffic.
In this case, when traffic goes from 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed and then encrypted and sent through the tunnel.
Only Site A can initiate the VPN tunnel.