I have a client with a Layered Cisco network solution. Their Cisco router is public facing and provides a private IP address to the Cisco ASA behind it.
I need to be able to create a VPN tunnel into the ASA. There are public IP addresses available to be statically NAT'ed to the ASA, one has been selected by the IT person on site and has been translated to an IP address in the network of the ASA but NOT the IP address of the interface connecting the ASA to the Router.
I've configured the VPN on both the ASA and the other end point (a Linksys RV042) and can see both devices attempting to bring up phase one of the tunnel. The RV042 is complaining about using Main Mode and the ASA seems to be complaining about the network I've set as the local network.
Behind the ASA are multiple additional networks which have static routes back through the ASA into the router.
I guess my initial question is if it's even possible to NAT a VPN tunnel in this manner. The IT person on site doesn't seem particularily interested in statically NAT'ing to the interface IP but I suspect this is going to be necessary to bring the tunnel up.
My follow on questions relate to which network on the ASA side to specify as local (IP network of the ASA on the internal side or the one NAT'ted network that I need traffic to pass into) and what ports to allow into the ASA from the static map (I'm currently allowing ESP, ISAKMP and 4500).
Help appreciated. I can post a sanitized version of the router and ASA configs ifn they'll be helpful.