We have two locations--a corporate HQ and a remote datacenter--connected by a private fiber link, presently. We have a pair of 13800s in active/standby ClusterXL mode in the data center. Our policy for the 13800s has various NAT exclusions, keeping the original source address the same as traffic leaves the gateway and heads for other destination networks at the corporate HQ. We have a pair of Cisco ASAs in our corporate HQ, just to keep things interesting
We will soon be moving to a VPN tunnel between these sites, delivered over the open Internet, and will therefore be defining a VPN domain on each gateway within the VPN community (for us, that will be just the center gateway in the data center and the satellite gateway at the corporate HQ site).
My question is whether or not we need to keep these existing NAT exclusion statements within our NAT policy even if we are defining nearly the same networks within the VPN domain on each gateway object.
I've been using the following SK for help on this: How to set up a Site-to-Site VPN with a 3rd-party remote gateway. The guide doesn't require NAT exclusion statements along with the VPN domains defined, so I'm thinking I do not need them, but I wanted to ask anyone out there who has been through this already. (On a different note, these VPN domains must match between those defined on the Check Point environment and those defined within the Cisco ASAs--otherwise, IKE phase 2 will not establish.)
Any help you can provide is greatly appreciated. Thank you very much in advance.