Static NAT bypass

Unanswered Question
Mar 27th, 2009

Hi all

I've an internet router who perform static NAT of UDP ports 500 and 4500 to the ASA behind for VPN termination pruposes.

I Need to terminate a new VPN in the internet router and i'm asking if there are some way to avoid this NAT only for certain IPs to make the internet router able to terminate the new VPN and still performing NAT for maintain the rest of VPN termination in ASA.

Thank you so much


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lamav Fri, 03/27/2009 - 06:21

Hi, Miguel:

You can create a route map that is associated with an ACL and perform the NAT function based on the route map.

In this example, only traffic from these 2 networks will be NAT'ed.

access-list 1 permit

access-list 1 permit

route-map NAT permit 10

match ip address 1

ip nat pool NAT_POOL prefix-length 24

ip nat inside source route-map NAT pool NAT_POOL



thotsaphon Fri, 03/27/2009 - 06:27

Do you only have one public ip address at the wan interface on the internet router?

Are you doing site to site VPN or IPSec VPN on the ASA?

Are you going to do site to site VPN or IPSec VPN on the internet router?

I need more information. Route-map may helps you to identify the source originating traffic.


lamav Fri, 03/27/2009 - 06:31


He probably does, or a very small subnet.

My example was meant to teach him about the route map and NAT exclusion option, not so much the basic NAT pool stuff. He says he already has connections going on, so I am sure he knows that part.

thotsaphon Fri, 03/27/2009 - 06:34


Thanks for the information. I'm waiting for which the way I can help.

BTW, How are you doing today?


lamav Fri, 03/27/2009 - 08:22

Im doing very well, Toshi. Thanks for asking. :-)

msantiveri Fri, 03/27/2009 - 06:43

Thanks Victor.

I need just the opposite.

I need to do NAT por all IP's except one. Note that there are VPN Clients comming from everywhere.

Toshi, thank you

Yes, unfortunately i have only une public IP address

msantiveri Fri, 03/27/2009 - 06:47

Toshi, here comes the other answers

Are you doing site to site VPN or IPSec VPN on the ASA?


Are you going to do site to site VPN or IPSec VPN on the internet router?


thotsaphon Fri, 03/27/2009 - 06:51


Okay! You only have just one public ip address.

Can you change the configuration on the ASA to use TCP/10000 to do IPSec VPN(isakmp-over-tcp)? I have to tell users "Please change this parameter". (grin)

I can now use udp/500 and udp/4500 for the internet router.

BTW,How are you doing?



lamav Fri, 03/27/2009 - 08:21


Como estas?

Es mas o menos la misma cosa.

This time the ACL will be inverted.

access-list 1 deny

access-list 1 permit any

The first line denies the traffic you dont want to NAT.

The second allows NATing on everything else. Remember, you DO need the permit ip any any because of the implicit "deny" at the end of all ACLs.



thotsaphon Fri, 03/27/2009 - 08:39


I'm not 100% sure that we are in same page. As poster stated, Users out there will connect to the internet router by using the public ip address. Then the router will do static NAT with udp/500 and udp/4500 to the ASA to do IPSec VPN.

The requirement is that he wants to have 2 VPN terminators. The another one is the internet router. And he has got just one public ip address.

To poster, If I missed something please clarify.



msantiveri Mon, 03/30/2009 - 00:18

Hi guys

My costumer will provide me with another public ip address to do this this, therefore all right.

Thanks a lot



This Discussion