NAT Translation to Addess on Inside of Firewall

Unanswered Question
Nov 7th, 2008
User Badges:

Greetings we have recently deployed an MPLS network for one of our customers, all internet traffic is routed out via a firewall managed by ourselves at the HQ location.

All remote sites have mpls addresses assigned in the range, all internal lan facing subnets have allocations in the /16 range.

At present if i form a remote access ipsec vpn connection with the firewall i can gain access to each router on its lan facing interface but cant get access to its mpls facing interface on the range. This still applies if i add the network to the split tunnel acl. I can ping devices on the network from the firewall.

For remote access vpn connections is it possible to put NAT statements on the firewall on an inbound direction to say translate the outside address of the remote site from 172.18.255.x to 10.130.x.x?

Any help would be much appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 11/13/2008 - 09:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I'm not sure i fully understand your topology but if you want to translate incoming source IP addresses on a firewall

static (outside,inside)

would NAT coming in through the outside interface to


exonetinf1nity Fri, 11/28/2008 - 07:39
User Badges:

Cheers for the replies guys i have attacthed a quick example of the current setup.

Each remote site has two subnets sitting behind the LAN interface of the router in the and ranges.

The MPLS facing interface has addresses out of the address space.

The firewall at the HQ has an inside address of as part of the HQ /24 subnet.

Now when i connect to the firewall via remote access vpn i can connect to every site that has an address in the address space but cant connect to any address in either the or range.

The response from the firewall indicates that there is now translation group

No translation group found for icmp src outside: dst inside: (type 8, code 0)

I do have a split tunnel list that covers both the and networks but i still receive the above response, hence my question to whether it would be possible to drop either a dynamic or static NAT rule that would match traffic comming in from a remote access vpn connection allowing me to get to both the and networks respectiively.


tahequivoice Tue, 11/18/2008 - 06:33
User Badges:

Sounds like a routing/ACL issue. Can you ping the remote lans from the ASA? If you can, then you should also be able to access them from the VPN pool IP's, if not, check the ACL for the split tunnel to make sure the LAN addresses are listed and that the LAN segments can get back to the IP range of the pool. You shouldn't need to translate unless you have overlapping addresses on the MPLS.


This Discussion