I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.
Basically, you configure static nat, policy nat, nat exemption as you desire. Then make your crypto ACL match the outside addresses. If you have control over both ends, you can do source address translation on each end (which is the easiest). If you need to, you can do source and destination on both ends. Alternatively, you may just need to do source translation on one end. I have had all sorts of weird scenarios. For instance a vendor requires me to do source NAT to alternative RFC1918 address space.
Here is an example I documented that does both. You can tweak it as necessary to fit your scenario. In my opinion, the 8.2 syntax is much easier than the 8.4.
Thanks Paul. That is exactly what i was looking for.