I need to set up a site to site with nat because we have overlapping subnet on the other end.
They need to access two servers on our network with static IPs.
Site A: 192.168.100.0/24
Site B: 192.168.200.128/25
The other site has picked this network for NAT: 10.200.50.0/28
I need to translate
192.168.100.10 > 10.200.50.2
192.168.100.20 > 10.200.50.3
through the tunnel
This is what I've done so far, will this work? Any problem that could appear with this config?
access-list VPN permit ip 10.200.50.0 255.255.255.240 192.168.200.128 255.255.255.128
access-list Policy_NAT1 permit ip host 192.168.100.10 192.168.200.128 255.255.255.128
access-list Policy_NAT2 permit ip host 192.168.100.20 192.168.200.128 255.255.255.128
nat (inside) 10 access-list Policy_NAT1 0 0
nat (inside) 11 access-list Policy_NAT2 0 0
global (outside) 10 10.200.50.2
global (outside) 11 10.200.50.3
Thanks in advance!
Your configuration seems fine.
Though I guess its a Dynamic Policy NAT/PAT configuration.
Incase you wanted to configure Static Policy NAT you would have to change it a bit. I mean if you wanted a NAT configuration that would enable bidirectional connection forming. Both from your site to the remote site and from the remote site to your side. You could still use the same ACLs you have configured but you would be using them in "static" configurations.
static (inside,outside) 10.200.50.2 access-list Policy_NAT1
static (inside,outside) 10.200.50.3 access-list Policy_NAT2
The consideration with both the Static Policy NAT and Dynamic Policy NAT/PAT would be that if these hosts have Static NAT configured to the direction of the "outside" interface then that Static NAT would override both of these configurations.
If you were using Dynamic Policy NAT and had a Static NAT also for the host then you would have to change to using the above mentioned Static Policy NAT to be able to override the Static NAT.
And with the above in mind the possible existing Static NAT and new Static Policy NAT might have some problems together also. In that case the ordering of the NAT rules would determine if the Static Policy NAT was ever applied. If you had the Static NAT configured already then it would override the new Static Policy NAT. The solution would be to remove the Static NAT and enter it again. This would move the Static NAT after the Static Policy NAT in the order they show up on the CLI format configuration and therefore Static Policy NAT would work for the destination addresses specified and the Static NAT for all the other destination addresses.
Hope I made any sense
Feel free to ask more if needed though