Avatar of cisco20
cisco20
Flag for United States of America asked on

Site to Site VPN Nat question

hI,

I'm fairly new to asa natting while using vpn, I was wondering what best practice would be for natting in my case.
I'm thinking one to one static nat since I have 30 usable public ip's and was thinking about using one dedicated to connect to this vendor server. The "outside" ip the My CORP ASA is using can't be used as the natted ip can it?

I attached a diagram using random ip's

Thanks
example-diagram.jpg
CiscoVPNHardware Firewalls

Avatar of undefined
Last Comment
cisco20

8/22/2022 - Mon
MikeKane

The IP assigned to the ASA's outside interface can be used for outbound NATing.  

Use the commands:
"global (outside) 1 interface "
" nat (inside) 1 0.0.0.0 0.0.0.0"  

RustyZ32

you should disable NAT altogether for a site-to-site tunnel.

the commands (making some assumptions on your config):

nat (inside) 0 access-list inside_nat_outbound
access-list inside_nat_outbound extended permit ip localsubnet netmask remotesubnet netmask

each ASA would have those commands.
cisco20

ASKER
Can you please ellaborate a little on why no NAT needed for my servers to communicate? Thanks.
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
RustyZ32

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
cisco20

ASKER
Yes you are correct the connection is between 2 ASA's. I think I'll use the wizard for this setup before using the CLI to get a clearer picture.
cisco20

ASKER
Thanks.