"The only caveat is that you must use NAT not PAT (ie one to one address mapping)."

That is not correct. You can do port-direct on the routers. In other

words, you can terminate VPN on the ASA

using the router's public ip address. For

example:

router's public IP: 4.2.2.2

ASA private IP: 192.168.1.2

on the Internet router:

interface f0/0

ip nat outside

ip address 4.2.2.2 255.255.255.0

interface f0/1

ip nat inside

ip address 192.168.1.1 255.255.255.0

ip nat inside source static udp 192.168.1.2 500 interface f0/0 500

ip nat inside source static esp 192.168.1.2 interface f0/0

Now you can terminate VPN on the ASA

using the router's public IP address as

the VPN termination endpoint.

Easy right?

Thanks a lot.

I just want to verify one more thing.

Lets say i have 2 public address. then i should be able port map one public address as you mention above and other one to NAT ( overload ) to provide the internet access the LAN user as below,

public IP : 4.2.2.2

4.2.2.3

say, mask : 255.255.255.248

ASA private IP: 192.168.1.2

on the Internet router:

interface f0/0

ip nat outside

ip address 4.2.2.2 255.255.255.248

interface f0/1

ip nat inside

ip address 192.168.1.1 255.255.255.0

ip nat inside source static udp 192.168.1.2 500 4.2.2.3 500

ip nat inside source static esp 192.168.1.2 4.2.2.3

ip nat inside source list 1 4.2.2.3 overload

access-list 1 permit 192.168.1.0 0.0.0.255

Thanks