Cisco ASA 5505 - NAT over a VPN

Unanswered Question
Jul 9th, 2008

Dear all,

I've been trying to configure a Cisco ASA 5505 to connect to a remote VPN. Once connected all traffic should then present itself from one IP over the VPN using NAT. I have two VLANs called inside and outside. The inside IP is, the outside is 217.XX.XX.XX. NAT is enable but refuses to work over the VPN. The ASA5505 trace path facility shows the VPN thinks itx exempt from the NAT rule, why?

I want all traffic to present itself as

I would also like to say I know next nothing about Cisco routers. This is the first one I've configured; therefore, some of my settings may be way off the mark.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.alekseev Wed, 07/09/2008 - 06:31

you have "vpnclient mode network-extension-mode"

use instead "vpnclient mode client"

rhh_bytron Wed, 07/09/2008 - 12:47

I have made the change, but my VPN traffic still has the wrong NAT IP.

ggilbert Wed, 07/09/2008 - 06:48


Just like the previous person said, you can use vpnclient mode as client and turn of NEM. But here is the issue.

You have to assign a different address pool to the EzVPN client (in this case your ASA 5505) not the same as its internal network. So, it should be something like 192.168.10.x.

Rate this post if it helps.


rhh_bytron Wed, 07/09/2008 - 12:46

Apologies, but I made a mistake on my first post.

The VPN connects to a server and gets assigned an IP of This IP differs from my inside and outside interfaces. I have been asked to ensure all traffic down the VPN is NAT'd, using as the NAT address. The tech guys of the VPN server I connect to keep saying that my IP is showing as 192.168.20.XXX (My internal address); hence, all my traffic is blocked by their system.

The NAT line someone suggested is:

static (inside,outside) 192.168.20.XXX netmask

Although, when I run the following command:

show vpnclient detail

I get the following



vpnclient server 193.XX.XX.XX

vpnclient mode client-mode

vpnclient vpngroup GROUP1 password ********

vpnclient username GROUP password ********

vpnclient enable


- Key exchange is based on Pre-Shared Key

- Traffic from, or through Cisco Easy VPN Remote will initiate a connection



Secure Unit Authentication Enabled : Policy not stored

Split Tunnel Networks : None

Backup Servers : None


nat (inside) 0 access-list _vpnc_nwp_acl

access-list _vpnc_nwp_acl extended permit ip any any

aaa authentication match _vpnc_nwp_acl inside _vpnc_nwp_server

aaa authentication match _vpnc_nwp_acl _internal_loopback _vpnc_nwp_server

crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac


The line that concerns me is:

nat (inside) 0 access-list _vpnc_nwp_acl

I believe that is saying my VPN traffic bypasses the NAT rules. This line does not show when I run show run.


This Discussion