I am trying to create a site to site vpn. except it's not the usual setup. the 3rd party have requested we NAT all our inside source addresses to a single address before sedning it over the tunnel, this i beleive is due to them wanting to avoid network overlaps on their end as they have loads of VPNs.
so the flow we have is as follows:
multiple internal subnets ---> NAT to single address ---> VPN ----->Servers with outside addresses
with example IP's::
10.0.2.0/24 ----> NAT 220.127.116.11 -----> Over VPN------> 18.104.22.168 and/or 22.214.171.124
access-list VPNACL extended permit ip object-group vpnsourcesubnets-nat object-group vpndestinations
So regarding the above i have a few question:
1. a) should i be making the nat statement dynamic rather than static? should this be configured as dynamic nat or dynamic pat? i come to the conlcusion it should be dynamic pat as its one address and multiple hosts but i haven't seen any configuration guides with layouts like that so im uncertain. .... if i do need to change it, how would this refelct in the config?
2. should the ACL be basing its permissions on the pre-nat addresses or post nat? i've seen a few config example but none of them seem to be consistent, one will say post nat others will say pre-nat.
3. we have multple manual nat statements within section 1 on the ASA that look like this:
nat (inside,outside) source static any any destination static nonat-rfc1918 nonat-rfc1918
nat (inside,outside) source dynamic any interface
should i be placing my nat statement above this? could this cause any trouble?
I believe it is going to be one way of tunnel. I have a similar configuration on FW but Client is trying to access our side Network as they are and not the PAT ip address. If the traffic is to be initiated from the other End of the tunnel then, what needs to be done.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...