Greetings,

I am tasked with configuring a site-to-site VPN connection to a business partner in which I would first like to NAT my internal IPs to a public IP then send it across the tunnel, and vice versa when they try to access my servers I would like them to get to them via the external IP.  Here is what I think I need to do, but I wondered what the community's thoughts were.

All IP addresses represented below are fictional.

Internal Servers          Public IP

10.50.220.150           208.180.170.182    

10.50.220.151           208.180.170.183

10.50.220.152           208.180.170.184

Local Peer IP:      208.180.254.29

Remote Peer IP:  207.190.218.31

Local Network:     208.180.170.0/24

Remote Network:  207.190.239.0/24

From my understanding, NAT will occur before being sent out through a tunnel, or to the internet, etc, so the configuration I am thinking I need is the following:

nat (inside) 0 access-list nonat

nat (inside) 2 10.50.220.150

nat (inside) 3 10.50.220.151

nat (inside) 4 10.50.220.152

global (outside) 2 208.180.170.182

global (outside) 3 208.180.170.183

global (outside) 4 208.180.170.184

access-list nonat extended permit ip 208.180.170.0 255.255.255.0 207.190.239.0 255.255.255.0   (Do I even need this since its getting NATed to a public IP anyway?)

access-list s2s-Customer extended permit ip 208.180.170.0 255.255.255.0 207.190.239.0 255.255.255.0

route outside 207.190.239.0 255.255.255.0 207.190.218.31

crypto map outside 1 set peer 207.190.218.31

crypto map outside 1 match address s2s-Customer

[..rest of configuration ommitted..]

Does that look/sound right? If not, please advise.

Thanks.