Hi There, 

I have a IpSec tunnel set up as "cisco router <--> NAT instance(ec2 on aws on Public IP) <--> cisco ASAv ( outside interface Private IP)". Tunnel is coming up and connectivity works as well , but I could see the log that the tunnel established and doing IKEv2 SA with private IP of the ASA, but i Want only the public ip of the NAT instance should recognized in the tunnel negotiation. 

The reason I need this ^^ is , we eventually would be having 1000's of tunnels which needs to be migrated into this new setup and while do that setup we can not make .not allowed to make any changes in the left side routers. All changes only should be in the NAT and in ASAv.  Since at the moment customer is having cisco ASA in Onprem and all tunnels are terminating in the public ip of the ASA outside interface , al tunnel negotiation is happening through the Public IP of the asa itself. But in future we want the same IP we wil bring over to AWS with BYOIP and keep that public ip as the public ip of the NAT instance, and all communication should be seamless without making any changes in customer routers. 

Considering this scenario - my question is is there any way we can adjust setting in asa which will make the tunnel negotiate and established with public ip of the NAT instance ?  Please let me know if any questions. 

Appreciate any help on this . 

Thanks

Suddhasil