NAT public subnet to private IP through VPN

Unanswered Question
Apr 10th, 2007

I have a PIX515E, (7.2.2) with several IPSEC VPN's configured. They are "subnet to subnet" with NAT-T. I need a new VPN to a new client that "prohibits routing private IP addresses within their network". So I guess I have to NAT my entire subnet to a private IP address before it goes through the tunnel. How would I do this using the ASDM. Any tips would be greatly appreciated, especially if you have dealt with this type of configuration before.

Thanks in advance

L. Mace

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ggilbert Tue, 04/10/2007 - 14:57


What do you mean by "prohibits routing private IP address within their network"?

a. Do you want your internal network (private address) to show up as a public address on their internal network


b. Do you want their internal network to show up as something else on your side?

Which one is it?

If they prohibit routing private IP addresses within their network, your statement "I guess I have to NAT my entire subnet to a private IP address" is contradicting.

Can you please explain to me what you would like to do.

Some example with subnets will be helpful.



luckymace Wed, 04/11/2007 - 12:28

Sorry for the confusion. The answer is

a. I need my internal network, (, to show up as a public address on their internal network. My confusion is how do set that up? I have a couple of ideas but are not sure how they would work.

In the statement that is contradicing I meant to say "to a public IP address.

At any rate I am open to ideas.

At this point I do not have their peer ID or much other information except that they do not route private IP's from a vendors subnet, hence the statement "prohibits routing private IP address within their network".

The only other information that I have is that we will use rdp to connect to about 5 servers on the clients subnet.


Lucky Mace

0rsnaric Thu, 04/12/2007 - 12:21

I have the same issue.

I have a tunnel setup to with a client. My lan IP addresses are on the 172.16.X.X network. I need to present a 100.0.10.X address to the tunnel.

The tunnel is setup to allow traffic from 100.0.10.X to 200.0.20.X. 200.0.20.X being the address range of hosts on their network that we need access to from 172.16.X.X.

How do I nat the 172.16.X.X to 100.0.10.X so that it activates the tunnel?

Not trying to steal this thread, but it sounds like exactly the same issue.


ggilbert Sat, 04/14/2007 - 08:16


The simple one to do will be ...

Eg: Remote side network is

Your side public IP address is on the outside.

Lets say your normal traffic is getting patted through the following satements

nat (inside) 1

global (outside) 1 interface

Then your encryption acl would be:

access-list encacl per ip host host

This will allow your traffic to go through the tunnel from the external interface address to the remote side network.

Hope this explains.



luckymace Sat, 04/14/2007 - 18:41

I'll have to try this, I'll let you know when I get the go ahead for this tunnel.


L. Mace

0rsnaric Fri, 04/13/2007 - 14:54

I got mine figured out, maybe it will help you. (Changed the addresses a little for privacy)

First, the tunnel is setup to pass traffic between the public address I need to NAT to, and the addresses on the remote network (the rest of the tunnel parameters are omitted here as they are irrelevant) -

access-list outside_110_cryptomap extended permit ip 13

Then I create the dynamic NAT so that any traffic destined to is first NAT'd from my PRIVATE address ( to the PUBLIC address permitted throught the tunnel.

Global pool of addresses to NAT to -

global (outside) 3 netmask

Access-list that creates the dynamic mapping -

access-list inside_nat_outbound extended permit ip any

Basically those last two entries say, if traffic is bound for nat it to global pool 3.

Worked like a charm.

Hope that helps.


luckymace Sat, 04/14/2007 - 18:38

Thanks this makes sense I will try it when I get the go ahead for this tunnel.

Much appreciatd


This Discussion