Cisco ASA 5505 Site-to-Site VPN with NAT using ASDM

I've done many VPN setups using the ASDM Site-to-Site Wizard in the past.  But, a company we are trying to connect with now is requiring us to NAT our internal server IP to a public address they have provided.  I have searched to no avail on this and tried many configurations.  A walkthrough of the correct setup using the ASDM GUI would be appreciated.  I know nothing about using CLI and I would be scared I would mess something up and cause more problems.  It would be helpful for what to put into the VPN Wizard and then how to setup the NAT'ing.  Static NAT or Policy NAT?  Do I de-select NAT Exemption on the VPN Wizard screen? These are the issues I'm having with this.  If I haven't explained very well, please let me know of any additional info you may need to help me.  Thank You in advance.

My parameters: (fake addresses)
            Peer IP: 173.243.xxx.xxx
            Internal Server IP:  172.16.2.153 (needs to be NATed to 161.250.141.249 for traffic on TCP port 2004)

Company I'm connecting to:
            Peer IP: 161.250.81.xxx
            Encryption Domain:  162.250.140.1
bwright1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
You have the basic steps.  Run through the VPN wizard, using the public IP address of the server, then set up a static NAT for the server.

Cisco order of operations is for NAT to occur before crypto, so the traffic will be NAT'd, then encrypted.  For the encryption to work, the interesting traffic has to match the public IP of the server.
bwright1Author Commented:
Thank you for your help.  I used the VPN wizard and I have phase one of the tunnel up but phase two will only receive packets and not transmit.  Right now that's because I have not setup NAT.  I would like your recommendation on that.  Static NAT or Static Policy NAT?  Below are the steps I took to create the tunnel and what entries showed up in ASDM after it was created.  Can you tell me if this is all correct?

This was the only decision I wasn't sure about during the wizard.  I left it checked.

exempt?
This showed up in NAT Rules after the wizard.

exemptNAT
These show up in the ACL Manager

cryptoNAToutbound
This shows up in Site-to-Site VPN Crypto Maps

cryptomap
This is the VPN Session details: You will notice I am receiving packets from the other side but not transmitting a reply to those ping packets.   The next step is to setup NAT.  This is where I need help on what to put in the fields when I choose ADD STATIC NAT RULE. example(source?, destination?, PAT?, etc.......)  Thank you so much for your help.

Session-details.jpg
asavenerCommented:
I suggest a static NAT rule.  The current exemptions shouldn't affect you.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_objects.html#wp1106703

You need to add or edit the network object for the server.   Create a Host object, enter the appropriate IP address, name, etc.  Then select the NAT rules, enable a static NAT rule, and enter the public IP address of the server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bwright1Author Commented:
Thank You for your help.  The tunnel is up and working now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.