I have a situation where I own both sides of a VPN tunnel between IOS boxes with no NAT at all. However, I have 2 servers that I now have to static NAT to two brand new IP addresses to meet network requirements on the "far" end. Unfortunately I never NAT on an IOS device--always a PIX/ASA or VPN-3000 box, and just haven't gotten the hang of it from the configuration examples.
A basic example of how to do this (without NATing any of the other traffic) would be greatly appreciated.
Thank you. Please verify for me that this will not cause any negative impact on the other traffic on the network, for instance requiring me to write NAT rules for anything else? I just want to be certain before I proceed as it is a production system and I don't have the luxury of a test-system right now.
There's no need for explicit NAT rules for other traffic and they would continue to pass un-natted. The one thing you would have to do is, if you aren't doing GRE tunneling with IPSEC, your crypto access list should permit traffic to the NAT (global) address of the Server to be encrypted. The other side should mirror this access list.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...