It's been "a while" since I've been near an ASA for VPN configuration purposes, indeed I think it was running 6.something and still called a Pix :-)
Anyhow, I (vaguely) remember it used to be the case that when you had an/some existing L2L ipsec VPN config and you wanted to change/add/whatever to it, planning in things like removing the crypto map from the outside interface first was A Good Idea if one wanted to avoid days of headscratching as to why a perfectly reasonable modification screwed the whole thing over - does that still apply, or is it all a bit more stable/forgiving nowadays?
If you have a scenario say, similar to "L2L with overlapping networks", is it possible to have a many-to-few policy NAT? For instance, instead of the example given in the config docs:
access-list policy-nat extended permit ip 172.18.1.0 255.255.255.0 192.168.1.0 255.255.255.0
is it possible in any way to run your internal network of 192.168.1.0 into a smaller range? If not everything in the internal network will be going via VPN, could something like
access-list policy-nat extended permit ip 172.18.1.0 255.255.255.240 192.168.1.0 255.255.255.0
work? Would that NAT... ...the first x addresses of the subnet, 1-to-1 (i.e. 192.168.1.1-14 > 172.18.1.1-14) or ...the first addresses 'seen' to traverse the tunnel (which is what I'd like to happen) like maybe 192.168.1.212 -> 172.18.1.1 192.168.1.34 -> 172.18.1.2 etc... (and presumably tough luck if you're internal host #15) or, as i suspect, is such a thing not even possible?
Yes ASA is much stable to the problem that you referred. To answere your second question you may pat the tunnel traffic to even a single ip address with policy nat statement, but then this will be a uni-directional tunnnel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...