NATing over Site-to-Site

Unanswered Question

theis is my VPN Site-to-Site:


phase 1 work, phase 2 fail because otherASA expect my traffic to use myASA5505's IP and it is using myServer's IP

so here is the question:

How do I NAT myServer to go out myASA5505 using's the ASA outside interface address?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 12/03/2008 - 09:00


Your crypto mpa access-list needs to use the Natted IP of your server and not the real IP eg.

remote network =

server real address =-

ASA outside interface =

access-list vpntraffic permit ip host

the above is what your crypto access-list should look like. At the remote end it should be

access-list vpntraffic permit ip host


Jon Marshall Wed, 12/03/2008 - 09:35

"remote network is /32 - does it change anything (other then the mask)?"

No mine was just an example, change to fit your scenario.

"when you refer to server real address that is myServer or the other side?"

Your server that you are Natting.



This Discussion