Policy NAT question

Unanswered Question
Apr 3rd, 2008

I have a question regarding policy NAT set up in our firewalls.

We current have numerous VPN tunnels set up with some being configured to some outside sources set up with a policy NAT similar to this:

crypto map pub 30 ipsec-isakmp

crypto map pub 30 match address policy

crypto map pub 30 set peer

crypto map pub 30 set transform-set 3dessha

static (inside,outside) access-list policy_translation 0 0

access-list policy_translation permit ip host host

access-list policy permit ip host

My question is, is this usually set up this way for added security?

It looks as though the tunnels configured this was are mostly for connections from outside networks.

Why go through this process ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Jon Marshall Thu, 04/03/2008 - 14:42


The main reason for policy NAT is to control when an IP address gets Natted to another IP address ie. from your example above

static (inside,outside) access-list policy_translation 0 0

access-list policy_translation permit ip host host

So basically when sends traffic to then it gets Natted to

You could just used

static (inside,outside)

but what if another remote site is using 10.9.6.x as a network already. So you want to NAT to if it goes to that remote site.

This is the key use of policy NAT ie. it allows an IP address to be Natted to multiple different IP addresses.

Hope this makes sense


wilson_1234_2 Thu, 04/03/2008 - 18:01

Thanks for the reply jon,

That makes sense, but what if we have no other remote site using the 10.9.6.x subnet (we don't).

What would be the reason for using it?

Jon Marshall Fri, 04/04/2008 - 00:18


The other main reason i can think of is that may need Internet access and if it does then it will need to be Natted to a public IP address as it goes through the firewall.

And perhaps when the VPN was setup the 10.9.6.x address was agreed on. It is quite difficult to second guess why something is like it is and perhaps the previous admin just liked policy NAT :-).


sundar.palaniappan Fri, 04/04/2008 - 15:36


In addition to what Jon said one other possibility is that if you have VPN connection(s) to external vendors and they expect traffic to be sourced from when you access their network then using this policy NAT would make sense as well. Could that be the case since you stated in your original post that you have VPN from outside sources.



wilson_1234_2 Fri, 04/04/2008 - 16:09

Thanks guys,

Can you walk me through exactly what is happening here:

static (inside,outside) access-list policy_translation 0 0

access-list policy_translation permit ip host host

Here it is shown a little differently, an it kind of makes a little more sense this way.

static (inside,outside) (permit ip host host 0 0

I mean, I could accomplish the same thing via a VPN tunnel without NATing to correct?

Single host to single host, excep it would be correct?

There is no additional benefit except I control what the remote site has as the allowed address?

Jon Marshall Fri, 04/04/2008 - 22:06

"static (inside,outside) access-list policy_translation 0 0

access-list policy_translation permit ip host host"

When the host sends data to then before the data is encrypted and sent down the tunnel the source IP address is change to be

It also means that the remote IP can send data to and after being decrypted the destination IP address will be changed to

You could setup the VPN tunnel without the NAT and yes it would work but you would need to make sure the other end of the VPN now connects back to

If you don't need policy NAT because of the reasons given in previous posts then no, there really is no addtional benefit.


wilson_1234_2 Mon, 04/07/2008 - 05:08


Would you say the most likely reason for me to do policy NAT on my end (if I can find no other reason)is that the remote side had a problem with my source addresses and needed us to NAT them?

Also, what about if I have a problem with a remote IP Address as in already have that subnet, can I do anything on my end like policy NAT the destination IP Address?

Jon Marshall Mon, 04/07/2008 - 06:23


We have used policy NAT for that very reason ie. the remote site needed our source IP addresses Natted but they could not accept what we were already Natting them to so we had to use a different address.

The second part of your question :- it depends

1) If the address is already in use for a different VPN then you would need the NAT to happen at the remote end because your firewall would not be able to ditinguish between the same source IP address coming from 2 different sites.

2) If the address is already in use on your local LAN you don't need policy NAT because your Natting the source IP addresses so you could do the following

nat (outside) 1 outside

global (inside) 1

In the above example the remote site is using as their source IP's. You are already using these so you NAT the source IP's to as they come into your firewall.




This Discussion