PIX/ASA 7.X: Policy NAT

TOPOLOGY:
10.10.10.10 ---- YourASA ======= RemoteDevice ---- 20.20.20.20

SCENARIO:
- Host 10.10.10.10 is translated to 172.16.0.10 when going to host 20.20.20.20 (VPN traffic)
- Host 10.10.10.10 is translated through NAT/PAT normally elsewhere.

CONFIGURATION:

access-list NONAT permit ip host 172.16.0.10 host 20.20.20.20
access-list VPN10 permit ip host 172.16.0.10 host 20.20.20.20
access-list POLICY_NAT extended permit ip host 10.10.10.10 host 20.20.20.20

static (inside, outside) 172.16.0.10 acl POLICY_NAT
nat (inside) 0 access-list NONAT
nat (inside) 1 0 0
global (outside) 1 in interface
...
! DEFINE PHASE1 / ISAKMP PARAMETERS !
! DEFINE PHASE2 / IPSEC PARAMETERS !
...
crypto map OUTSIDE_MAP 10 match address VPN10
...
crypto map OUTSIDE_MAP interface outside
isakmp enable outside

---

NOTES:
In the above example, note that the source IP address of the VPN traffic is the translated IP address (172.16.0.10), not the inside/original source address.

The static statement is evaluated first before the crypto match statement. Hence, if the traffic matches acl "POLICY_NAT", the traffic is translated first, before it will be evaluated against the crypto map policy. (See NAT Order of Operation)

Due to the software requirements, this is available only to ASA and PIX capable of supporting 7.x and later.

---

REFERENCES:
PIX/ASA 7.X: Policy NAT:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
NAT Order of Operation:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml