Currently there about 120 hosts (10.10.20.0 subnet) in our side that are natted on the outside interface of the firewall. I have created a VPN tunnel that allows 10.10.20.0 and 10.10.30.0 to go through the VPN tunnel by natting it via the vpn interface of the firewall. But those particular hosts do not go through the vpn tunnel since natting is allowed through the outside interface.
Can i allow the entire 10.10.20.0 and 10.10.30.0 to be statically natted via one single IP towards the Tunnel. I realize that static nat is given priority than normal nat. I tested with one static nat 10.10.20.10 --> 192.168.10.50 --> vpn tunnel and it works inspite the 10.10.20.10 is also natted on the outside interface. Now it is going out the vpn tunnel as well as outside since I have assigned policy nat on the static nat to go towards the vpn tunnel. But i cant do this all 120 hosts. It is not practical.
Can i do this
(22.214.171.124) is the remote lan public address
access-list site_to_site_vpn extended permit ip 10.10.20.0 255.255.255.0 126.96.36.199 255.255.255.0
static (inside.vpn) 192.168.3.50 access-list site_site_vpn
Thanks in advance