NATing behind VPN device

Unanswered Question
May 17th, 2010

I'm pretty familiar with setting up a VPN but a customer asked if we could NAT our servers to a range they provide and I'm not sure how this can be implemented.

Here's our setup (sanitized):

our side ( <---> ASA <---> router <---> Internet <---> customer side (

We use the ASA for the L2L tunnels. I can set up the L2L tunnel above but the customer wants us to NAT our side using their range of

Specifically, how do I nat our server to when going to through the VPN?  Basically, the customer already has routes set up for so if we can do the NAT to that range on our end then they don't need to add any routes on their end.  Keep in mind that our server is also serving other customers so we only want the NAT to take effect when going to the specific customer

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Mon, 05/17/2010 - 13:28


Instead of doing NAT exemption for the VPN traffic, you need to NAT it.

You do this with Policy NAT:

access-list 150 permit ip host host

static (in,out) access-list 150

Make sure there are no NAT 0 access-list statement for the above IPs.

Then the crypto ACL for interesting traffic is defined like this:

access-list crypto permit ip host


rimbertr1 Mon, 05/17/2010 - 14:15

Hello Frederico,

Thank you for replying.

When you wrote: "Make sure there are no NAT 0 access-list statement for the above IPs.", did you mean all the ones involved?

I do have a NAT 0 for the subnet (defined as dmz):

nat (dmz) 0 access-list dmz_nat0_outbound

Is this what you mean?  If so, is there a way to work around it?

Federico Coto F... Mon, 05/17/2010 - 14:20

I should have been more specific.

Make sure the nat 0 access-list for the does not overlap with 10.1.3.x

The idea is that you should not have a nat 0 access-list statement bypassing NAT for traffic between and 10.1.3.x, so that the Policy NAT can kick in.

If you have a nat 0 access-list for the but when going let's say to, then this is not a problem.


rimbertr1 Mon, 05/17/2010 - 14:46

I'm still not quite clear on what I need to do.

I was able to set up the access list

access-list 150 permit ip host host

but when I tried to add the nat via

static (dmz,external) access-list 150

I get:

INFO: overlap with existing static
  dmz: to external: netmask

Our server is in the dmz subnet and the customer is in the external subnet (we are using the external interface as the VPN device).

What am I doing wrong?

We are using the Cisco ASA 5520 if that helps.

Is this something I can try doing via ASDM?  Unfortunately, when if comes to firewalls, I'm more comfortable with ASDM.

Federico Coto F... Mon, 05/17/2010 - 14:49

Do you have this statement if you do ''sh run static''

static (dmz,external)

If so, why do you have that statement, do you need it?
If you don't, remove it and add the commands I gave you.


rimbertr1 Tue, 05/18/2010 - 08:43

Hello Frederico,

I do have that statement:

static (dmz,external) netmask

It looks like all of our hosts have similar statements.  I believe that is how ASA works - it does static NAT for all the hosts to pass traffic.  I could be wrong though.

Since that server has to serve other customers, I do not want to remove that static NAT because it will probably prevent it from serving other customers.

Anything else I can try?

Federico Coto F... Tue, 05/18/2010 - 08:51

What is exactly the use of that server?

It seems that you need to access from the external interface.


If you need to access the server only on ports 80 and 25, you can do the following:

Remove the static and re-enter it like this:

static (dmz,external) tcp 80 80

static (dmz,external) tcp 25 25

And then, re-enter the Policy NAT for the VPN traffic.

In order to do this, please find out which services are being accesed on to check if you can go with the above configuration.


rimbertr1 Tue, 05/18/2010 - 12:10

That server streams data to our customers (including the one who wants the NAT).

I tried removing the NAT statement, static (dmz,external) via ASDM and it says:

"The operaiton you are trying to perform will result in some security rules being nullified.  Please review your translation/security rules and try this operation again."

And it won't let me delete that NAT statement.


This Discussion