Policy NAT on RA VPN?

Unanswered Question
Aug 21st, 2009

I have the following scenario; due to a 3rd party issue they have no route to my Remote Access VPN IP POOL and their default gateway doesn't hit my ASA.

I want to enable NAT so that my VPN IP POOL is hidden behind the inside interface of the firewall (as they can route to that). Below is a snippet of my config but it doesn't work.. any ideas?

(The Remote Access VPN works fine to the rest of the network, details have been changed to protect the innocent ;))

interface e0

ip addr

sec level 0

nameif outside

interface e1

ip addr

sec level 100

nameif inside

ip local pool VPN_POOL mask

access-list NAT_VPN permit ip

global inside 10 interface

nat (outside) 10 access-list NAT_VPN

I think the issue is that I'm implementing "NAT & Global" from a low sec-level to a high, but you can't do this command with "statics" 'cause it complains that the subnet mask in the ACL of the source isn't a host.

Thanks in Advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Thu, 08/27/2009 - 13:49

In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is

Create an access-list for Policy NAT with real source and a destination IP address.

access-list POLICYNAT extended permit ip host

access-list POLICYNAT extended permit ip

Create a static command that states that when source is and destination is or, change it to

static (inside,outside) access-list POLICYNAT

Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example,

access-list VPN extended permit ip host

access-list VPN extended permit ip

Apply the crypto access-list to crypto map.

crypto map VPN 10 match address VPN

nickbettison Wed, 09/02/2009 - 05:34


Thanks for your response, but I don't think that'll do what I've asked.

I want to hide behind the interface of the firewall, I'm sure that...

static (inside,outside) access-list POLICYNAT

Means that if is the source, then the source nat will be

...also I want to nat the other way round... outside,inside not inside,outside ;-)


This Discussion