Because we use private addresses in the range 10/8 for internal use, and these addresses frequently are in conflict with the internally used network addresses of our partners, we usually offer an exclusive range of addresses, namely public addresses somewhere around 201.56.129.* as destination addresses at our end. These addresses are never used for other purpose than for NAT inside of VPN tunnels. In addition these addresses are also not overlapping with the networks, where the tunnel endpoint addresses itself reside.
For you that simply means, that your systems ALWAYS talk to 201.56.129.* addresses at my end. It is my responsibility to translate such addresses to the internal addresses of our systems behind.
On the other hand, whenever an internal system at your side talks to 220.127.116.11, you have to ensure, that the source address is replaced with 18.104.22.168, so that my system can properly route back the packets to my VPN firewall and into the proper VPN tunnel.
There is only one tricky point at your end: As the tunnel endpoint address is identical to the encrypted destination address, your device must properly handle this situation.
I have cisco 2801 at my side of VPN. From my router conf:
Public address of my communication server is 22.214.171.124. The system works OK, and I have no problem but one: I do not want to have public address available from the internet. So I have to nat my server public address:
ip nat inside source static 192.168.100.24 126.96.36.199
where 192.168.100.24 is the server's private adddress. What was done is basically that It was included the above instruction in cisco setup. Certainly, I have deleted public address from the communication server and add its private address instread to its connection set up.
The problem is that my application program from my communication server does not work. My crypto map was not changed after my reading of nat order of operation.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...