I have been asked to setup a IPSec site-to-site VPN with a company partner. They require that we NAT our internal hosts to a different network before sending across the tunnel. These same internal hosts need regular Internet access. I only want to NAT to a global address if the destination matches certain hosts or subnets. Otherwise, the address should be sent to regular outbound NAT overload.
Have the following networks needing "conditional" NAT:
Remote networks on the partner side are:
They've asked that we NAT our hosts to 10.29.96.x. They will then apply inbound filtering on 10.29.96.x.
Can anybody provide with the needed access list(s) and NAT statement(s) for my side?
This is a Cisco ASA 5520 to Cisco ASA 5520 IPSec tunnel...
Thanks to everyone in advance!!
Here's how I would go about it. For argument's sake, let's say the partner is called Acme.
object-group network ACME-REMOTE
network 10.0.60.0 255.255.255.0
network 10.0.72.0 255.255.255.0
object-group network ACME-LOCAL
network 172.16.4.0 255.255.255.0
network 172.16.7.0 255.255.255.0
access-list ACME-L2L-PNAT permit ip object-group ACME-LOCAL object-group ACME-REMOTE
nat (inside) 50 access-list ACME-L2L-PNAT
global (outside) 50 10.29.96.1
This configuration will translate the traffic coming from your two internal subnets to 10.29.96.1 only when going to their two subnets.