- Silver, 250 points or more
I am tasked with configuring a site-to-site VPN connection to a business partner in which I would first like to NAT my internal IPs to a public IP then send it across the tunnel, and vice versa when they try to access my servers I would like them to get to them via the external IP. Here is what I think I need to do, but I wondered what the community's thoughts were.
All IP addresses represented below are fictional.
Internal Servers Public IP
Local Peer IP: 22.214.171.124
Remote Peer IP: 126.96.36.199
Local Network: 188.8.131.52/24
Remote Network: 184.108.40.206/24
From my understanding, NAT will occur before being sent out through a tunnel, or to the internet, etc, so the configuration I am thinking I need is the following:
nat (inside) 0 access-list nonat
nat (inside) 2 10.50.220.150
nat (inside) 3 10.50.220.151
nat (inside) 4 10.50.220.152
global (outside) 2 220.127.116.11
global (outside) 3 18.104.22.168
global (outside) 4 22.214.171.124
access-list nonat extended permit ip 126.96.36.199 255.255.255.0 188.8.131.52 255.255.255.0 (Do I even need this since its getting NATed to a public IP anyway?)
access-list s2s-Customer extended permit ip 184.108.40.206 255.255.255.0 220.127.116.11 255.255.255.0
route outside 18.104.22.168 255.255.255.0 22.214.171.124
crypto map outside 1 set peer 126.96.36.199
crypto map outside 1 match address s2s-Customer
[..rest of configuration ommitted..]
Does that look/sound right? If not, please advise.
PAT (nat/global) will take care of outbound traffic and static will take care of inbound traffic.
You can create Policy NAT as well to manage this traffic.