VPN Tunnel & Static NAT

One of our clients has a site to site VPN tunnel established.  The Peer Partner is requesting the ability to use a public IP statically NAT'd to our server in order to reach our local server since multiple remote sites from the peer have the same local ip scheme.  

We have a Cisco ASA 5505.

The tunnel is established, and I have a static NAT established but I'm unable to get the traffic to use the static NAT instead of the internal address.  

Any ideas?
TechGuy_007Asked:
Who is Participating?
 
SIM50Commented:
You need to setup policy NAT which will do NAT for specific destination.

static (Inside,Outside) <Public IP>  access-list VPN_NAT
access-list VPN_NAT extended permit ip host <INSIDE IP> <REMOTE NETWORK> <REMOTE NETWORK MASK>

You will also need to modify VPN configuration and change the <INSIDE IP> to <Public IP>. The remote peer will need to do the same or encryption domains will not match and VPN will not come up.
0
 
asavenerCommented:
You can NAT and then encrypt traffic over the VPN; NAT takes place before crypto operations.

This would require changing the VPN, though, so that the VPN matches the public IP to which the server is NAT'd.

Just set up a static NAT and change the access lists for the VPN (each end has to be modified).

Policy NAT will work, but it is not strictly necessary.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.