I am working on a project to simplify our routing by NAT'ing the IP's of our S2S VPN clients. Currently, the we have a bunch of routes pointing to various destinations which are created by the S2S VPN's. I would like to NAT all of those destinations to IP's within a single subnet, but have a question regarding the configuration.
As you can see, we aren't currently NAT'ing anything:
What I would like to do is NAT the THEIR_HOSTS to a 10.200.192.x/24 address. Can I NAT those to a single address and do NAT overload, or does there have to be an address for each of those 3 hosts? I'm fine either way. Whichever would be easier to do, please point me in the right direction.
You would have to do 1:1 NAT for each address to keep the connectivity in its original state. Except ofcourse the changed destination IP address to which your internal host connects to.
As NAT is done before L2L VPN it means that your source address NAT (or lack of) and destination address UN-NAT is done before VPN negotiations so it shouldnt required changes to the L2L VPN configurations either.
Naturally the easiest situation is when you can NAT a complete remote network to a same sized NAT subnet. The NAT configuration will stay clearer/simpler. Naturally if some L2L VPN only has host (/32) addresses then you will need more configurations.
So I would say do 1:1 NAT for the destination addresses. Either on a per host basis if the VPN setup in question demands it or 1:1 per subnet if the situation permits.
If you are running 8.3 software then I am not sure how the NAT will perform. What I mean is that your configuration is correct but I have had problems on certain ASA software to get the NAT configuration to be matched correctly even though everything is configured correctly. If you happen to run into problems with the setup I would consider upgrading the software to 8.4(7) for example
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...