How to NAT accross a VPN

Unanswered Question
Nov 14th, 2008

Customer has the same remote networks as some of my local networks. What is the best way to apply Nat accross the tunnel?

I'm trying to figure out how to setup "Tunnel Nat" or Nat accross the tunnel.

192.168.x.x, 172.16.1.x local

192.168.x.x, 172.16.1.x remote

I'm new to the ASA 5510 style.

Any help or documents are appreciated by ratings.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
risenshine4th Fri, 11/14/2008 - 14:35


I would like to Nat to

and the customer would nat to same in their config.

john.croson Mon, 11/17/2008 - 08:22

I'm also struggling with this same configuration, but I currently host 3 L2L configs, and a couple of RA's.

The thing with Doc ID 99122, PIX/ASA L2L w/overlapping nets example that confuses me is the statement:

global (outside) 1

I don't understand why that address is being used, as the outside address is, the addresses to NAT are

What am I missing?

JORGE RODRIGUEZ Mon, 11/17/2008 - 11:55

I belive this could be a typo, you are right in this section in understanding the logic of it and find out what role does have here in the overlaping scenario, specially when your outside interface network is in this example, you would assume that you have already in FW:

global (outside) 1

nat (inside ) 1 0 0

So I believe this statement from PIX-A should be:

global (oustide) 1


global (outside) 1 interface

nat (inside ) 1 0 0

and here the vpn traffic is already defined with the static policy nat statement along with teh acl.

so if you look at the policy nat in PIX-A the static statement with the acl is 1st looked at and if matches the static policy nat statement and its alcs it will go through the l2l tunnel, static nat takes precedence over any dynamic so up to here the example in link is fine, for non vpn related traffic like regular internet traffic it will use global which is outside interface ip address.. not ..

Parograph in question !!

global (outside) 1

nat (inside) 1 0 0

!--- The above statements will PAT the internet traffic

!--- except the VPN traffic using the IP address

so the above statement simply is telling that any host or networks from the inside nat (inside) 1 0 0 will be PATed/translated with global (outside) for internet traffic but... network is not even routed throup the FW oustide interface.

I hope this make sence , but if someone could agree or not is welcome.




This Discussion