natting to single address for vpn

Unanswered Question
Mar 4th, 2010


I have a router connected to my cisco ASA for which there is a site to site tunnel established, Can anyone tell me what I would do on the router to nat all addresses coming from the router to the ASA from a single address? like PAT but through the tunnel



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 03/04/2010 - 13:23


You would need to create the NAT configuration for PAT, and then specify that the interesting traffic is from the PAT address to the other's site subnet.

The only difference is to specify the VPN traffic to the PAT address, instead of specifying the interesting traffic to the real subnet.

Another note, is that if you do it like this, you can only initiate the tunnel from the router's side.

Translation always happens before encryption.\


carl_townshend Fri, 03/05/2010 - 01:18

Hi There

I understand what you are saying, but could you please give me an example of what you would do here? would you just do something like

ip nat inside source list 1 pool xx overload

then would i referenc the pool in the crypto map?



Federico Coto F... Sat, 03/06/2010 - 13:32

To PAT inside the tunnel, you create the NAT configuration as usual:

ip nat inside source route-map NAT interface OUTSIDE0/0 overload

route-map NAT

match ip address 199

set ip next-hop x.x.x.x   -->  default gateway or path through the tunnel

access-list 199 permit ip

What you're doing with the above configuration is to PAT traffic from 10.x.x.x to 192.168.1.x  (assuming the 10.x.x.x is the network behind the router and 192.168.1.x is the network behind the ASA)

Then, you specify the interesting traffic (VPN traffic) to be from the PATed address to the ASA's network:

access-list 101 permit ip host

(assuming is the OUTSIDE0/0 address) Interface where the crypto map is applied.

Access-list 101 is the ACL applied to the crypto map.

Remember that the ACL on the ASA should be a mirror to this ACL and that the tunnel can only be initiated from the router's side.


carl_townshend Thu, 03/11/2010 - 07:34

Hi There

Thanks for the reply

Can you tell me what the end point address would be through the tunnel, or the default gateway?

route-map NAT

match ip address 199

set ip next-hop x.x.x.x   -->  default gateway or path through the tunnel



Federico Coto F... Thu, 03/11/2010 - 11:19

x.x.x.x will be the default gateway of the Router (the next-hop to reach the ASA).

Give it a shot and let us know if the tunnel establishes.

You can use the commands:

sh ip nat trans -->  To verify PAT is taking place

sh cry isa sa -->  to verify phase 1

sh cry ips sa --> to verify phase 2


carl_townshend Mon, 03/15/2010 - 09:22


Im still unsure, will the next hop just be my ISP internet router address then ?

Federico Coto F... Mon, 03/15/2010 - 09:26


The IP of your ISP router, that belongs to the same subnet of your router.

In other words, your router's default gateway.



This Discussion