I have the following scenario:-
Net A - 172.20.82.0/24 (under my control) network
Net B - Public (out of my control) network
I have a bunch of servers on the Net A (172.20.82.0/24) network I'd like to PAT behind a Public IP before transmission over a VPN to the remote (Net B) site. In quickly doing some reading thus far, my understanding is that I'll need to:-
a) Perform an "inside/outside" PAT on Net A "interesting traffic" to my PAT Public address before I then...
b) Apply the new Public PAT address to both the crypto and "NAT 0" ACL's.
access-list NET_A_PAT permit 172.20.82.0 255.255.255.0 NET_B_NETWORK NET_B_NETMASK
nat (inside) 20 access-list NET_A_PAT
global (outside) 20 MY_PUBLIC_PAT
access-list NO_NAT extended permit ip host MY_PUBLIC_PAT NET_B_NETWORK NET_B_NETMASK
access-list CRYPTO_MAP extended permit ip host MY_PUBLIC_PAT NET_B_NETWORK NET_B_NETMASK
First question is - is this right? I believe it is, but am just wanting clarification.
Second question is - I also run a "standard" PAT on the "outside" (Internet) interface of the ASA for normal internet traffic - browsing etc. If I am performing an inside/outside PAT as above, will that not then try and transmit the encrypted packets using my "new" PAT instead of the interface IP to the remote VPN endpoint? Or does the crypto process take my first PAT then re-encapsulate it using the "real" outside interface IP PAT?
Hope I'm reasonably clear - many thanks in advance.
b) Partly correct, the crypto ACL is correct, however, you don't need NAT 0 ACL as you are doing a PAT.
Second question - no, PAT comes first, then it will encrypt the packet with the interface IP which is the VPN termination point.