Hi All,

I have a query regarding NAT operations over a VPN. I've been referring to various guides but I'm still a little confused. As I understood it, an identity nat/nat0 rule is required to prevent the traffic being natted out of the external interface by the default overload NAT? Yet the page below does not mention this. Is this config assuming there is no NAT overload?

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-site2site.html

The bulk of this question though relates to what happens if I want to NAT an address before it's sent over the VPN. My current understanding is that I require a NAT, an identity NAT and interesting traffic ACL as follows (assuming only 1 host protected at each end, local 1.1.1.1 to be natted to 2.2.2.2, remote host 3.3.3.3):

----------------------------------------------

Local config:

nat (inside,outside) source static 1.1.1.1 2.2.2.2 destination static 3.3.3.3 3.3.3.3

nat (inside,outside) source static 2.2.2.2 2.2.2.2 destination static 3.3.3.3 3.3.3.3

access-list VPN_Interesting traffic extended permit ip host 2.2.2.2 host 3.3.3.3

----------------------------------------------

Remote Config:

nat (inside,outside) source static 3.3.3.3 3.3.3.3 destination static 2.2.2.2 2.2.2.2

access-list VPN_Interesting traffic extended permit ip host 3.3.3.3 host 2.2.2.2

----------------------------------------------

Is this correct or am I completely wrong here?!

Thanks in advance

Chris