Hi,

If your Internet connection and VPN use the same interface on the ASA (which they usually do) then you should configure a Dynamic Policy NAT. You will have to specify the destination networks as the remote L2L VPN networks.

The reason for this is simply that if you might cause this translation to apply to your users Internet traffic and therefore potentially NAT them to a Private NAT pool and prevent Internet connecitivity.

And yes, you will use your NATed source address as the source for the L2L VPN interesting traffic in the Crypto ACL.

I am not sure what software you are using but the basic configuration format (that can differ depending on your current NAT configuration) could be

Software 8.2 (and older)

global (outside) 200 1.1.1.1-1.1.1.253

global (outside) 200 1.1.1.254

access-list POLICY-NAT permit ip

nat (inside) 200 access-list POLICY-NAT

Software 8.3 (and above)

object network NAT-POOL

range 1.1.1.1 1.1.1.253

object network PAT-ADDRESS

host 1.1.1.254

object-group network DYNAMIC-NAT-PAT

network-object object NAT-POOL

network-object object PAT-ADDRESS

object-group network SOURCE-NETWORKS

network-object 10.10.10.0 255.255.255.0

object-group network DESTINATION-NETWORKS

network-object 192.168.10.0 255.255.255.0

nat (inside,outside) after-auto 1 source dynamic SOURCE-NETWORKS DYNAMIC-NAT-PAT destination static DESTINATION-NETWORKS DESTINATION-NETWORKS

The above configurations are just rough examples of what the Dynamic NAT (+ PAT Overload) might look like on the ASA depending on the software

The PAT address is added here just incase the Pool is smaller than the source networks address space. Otherwise NAT pool might run out and connections could start failing.

Both configurations should be modified according to current configurations so that they are applied correctly.

- Jouni