I am tasked with configuring a site-to-site VPN connection to a business partner in which I would first like to NAT my internal IPs to a public IP then send it across the tunnel, and vice versa when they try to access my servers I would like them to get to them via the external IP. Here is what I think I need to do, but I wondered what the community's thoughts were.
All IP addresses represented below are fictional.
Internal ServersPublic IP
Local Peer IP: 220.127.116.11
Remote Peer IP: 18.104.22.168
Local Network: 22.214.171.124/24
Remote Network: 126.96.36.199/24
From my understanding, NAT will occur before being sent out through a tunnel, or to the internet, etc, so the configuration I am thinking I need is the following:
nat (inside) 0 access-list nonat
nat (inside) 2 10.50.220.150
nat (inside) 3 10.50.220.151
nat (inside) 4 10.50.220.152
global (outside) 2 188.8.131.52
global (outside) 3 184.108.40.206
global (outside) 4 220.127.116.11
access-list nonat extended permit ip 18.104.22.168 255.255.255.0 22.214.171.124 255.255.255.0 (Do I even need this since its getting NATed to a public IP anyway?)
access-list s2s-Customer extended permit ip 126.96.36.199 255.255.255.0 188.8.131.52 255.255.255.0
The NAT/PAT statements there take care of outbound NAT, but I assume I will also need static (inside,outside) NAT statements to take care of the inbound NAT, should users across the VPN tunnel want to initiate the traffic to our server. Is this correct?
Does the NAT order of operations take place inbound before attempting to pass traffic?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...