So I have come across a few times where I needed to NAT VPN traffic to a certain IP address. They remote end (usually a place that has a lot of VPN connections) wouldn't allow private addressing to be used. So, I needed to have an IP address or range to use that was public. With that said, I decided I wanted my 10.0.0.0 subnet to be NAT'ed to the 174.X.X.167 address. They will accept this on their remote end, as my client will be sending traffic only to them. They will not be sending traffic to us. With that said, we only need one IP address, since they are not trying to get to multiple servers here at my customer.
Lets look at the config:
Phase I:
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
Phase II:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Tunnel creation:
tunnel-group 62.X.X.233 type ipsec-l2l
tunnel-group 62.X.X.233 ipsec-attributes
pre-shared-key passkey
Now the fun stuff. Remember, we ARE NAT'ing our traffic. We want to NAT our 10.0.0.0 private network to 174.X.X.167. So, we need to define what internal traffic gets NAT'ed to the destination of 206.X.X.210.
NAT ACL:
access-list policy-nat extended permit ip 10.0.0.0 255.0.0.0 host 206.X.X.210
Now, lets do the encryption ACL. If you are coming from the 10.0.0.0 network you get NAT'ed to be 174.X.X.167 and are destined to 206.X.X.210, then the following encryption ACL will do for traffic across the VPN.
Encryption ACL:
access-list customer-access extended permit ip host 174.X.X.167 host 206.X.X.210
Now, we have to tell it to NAT. We do this with a static NAT translation. We say if the ACL policy-nat is matched, then NAT to 174.X.X.167.
static (inside,outside) 174.X.X.167 access-list policy-nat
Then go add the crypto map.
crypto map outside_map 20 match address customer-access
crypto map outside_map 20 set peer 62.X.X.233
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
Apply to the outside interface:
crypto map outside_map interface outside
crypto isakmp enable outside
Done. Now you are NAT'ing your vpn traffic across the site to site VPN.
