I am wondering If it is possible to connect to a server over a single VPN tunnel via 2 IP addresses by using NAT.
I believe your crypto acl for this specific case is :
access-list outside_cryptomap_13 extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_9
Anyways, the config should looks like: (make sure 10.10.1.1 is allowed in your crypto acl)
When host 192.168.1.1 tries to communicate with 10.10.1.1 it will be forwarded to 172.16.1.1. However all other hosts within the source subnet 192.168.1.0/24 will communicate with other end using their real IP 172.16.1.0/24. Is it what you wanted?
object network IP_REAL
object network IP_REMOTE_REAL
object network IP_REMOTE_NAT
object network IP_REAL_SUBNET
subnet 192.168.1.0 255.255.255.0
object network IP_REMOTE_REAL_SUBNET
subnet 172.16.1.0 255.255.255.0
nat (inside,outside) 1 source static IP_REAL IP_REAL destination static IP_REMOTE_NAT IP_REMOTE_REAL no-proxy-arp route-lookup
nat (inside,outside) 2 source static IP_REAL_SUBNET IP_REAL_SUBNET destination static IP_REMOTE_REAL_SUBNET IP_REMOTE_REAL_SUBNET no-proxy-arp route-lookup
On the other end you will need to adapt it by inverting the source and destination like:
nat (inside,outside) 1 source static IP_REMOTE_REAL IP_REMOTE_NAT destination static IP_REAL IP_REAL no-proxy-arp route-lookup
* Adapt the nat order number on where you want to insert these nats. You have a lot and don't know what they're used for. Just make sure the 1st nat in my example is above the 2nd to make it work otherwise it won't work
PS: Please be careful with your nat (any,any), try to specify the real source and destination name.
I have picked this firewall infrastructure up from previous employees of the company so there are a lot of rules that maybe redundant, I just need to go through and tidy up when I have some time.
Thanks for your help I will try what you say and feedback. Very much appreciated.