IP address overlap

Unanswered Question
May 25th, 2010
User Badges:

We are configuring a remote site with an ASA 5580 at each site.  Our IP segment for the server [which they are to have access to] uses the same segment for other services within their organization.  Our server is one of the core servers which our physicians access remotely to read cases.  Our segment is also used with all of the remote sites which we are communicating with. I want to be able to NAT for this particular server only for this site-to-site VPN tunnel and not for the entire network segment.I want to perform this without breaking our segment.

Please advise.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 05/25/2010 - 13:29
User Badges:
  • Green, 3000 points or more


In order to NAT just specific traffic through one tunnel, you should use Policy NAT.

Let us know if you can share more details to help you out.


gmmassey25 Tue, 05/25/2010 - 13:38
User Badges:

then i would require 2 commands in order to make this work, such as; access-list policy-nat extended permit ip (inside IP) x.x.x.x (remote IP)

then static (inside,outside) remote IP address access-list policy-nat

what else do you require as far as information?

Federico Coto F... Tue, 05/25/2010 - 13:45
User Badges:
  • Green, 3000 points or more

Actually that's what you need.

Since the ASA has an order in the NAT checking, make sure there's no NAT exemption or static NATs for those IPs, so that the Policy NAT will work.


gmmassey25 Tue, 05/25/2010 - 14:14
User Badges:

there is a nat exemption for outbound traffic on this particular interface.

hdashnau Tue, 05/25/2010 - 14:33
User Badges:
  • Cisco Employee,

The nat exemption in the outbound direction won't matter unless it specifically overlaps.

For example say your L2L is between (local) and (remote)....

Policy NAT:

access-list policynat permit ip

nat (inside) 1 access-list policynat

global (outside) 1

Nat exemption that would break this policy NAT

access-list nonat permit ip any

nat (inside) 0 access-list nonat

*destination is any so that matches our remote and would take priority because its nat exemption

Nat exemption which would have no effect on this traffic:

access-list nonat permit ip

nat (inside) 0 access-list nonat

*destination is so that does not match our remote and this nat exemption would have no effect on our policy nat

Hope this helps clear things up,


hdashnau Tue, 05/25/2010 - 16:12
User Badges:
  • Cisco Employee,

P.S. If I have answered your question please mark the post as resolved  and rate the responses. This helps us more easily identify which  questions remain unanswered and let us know how we are doing. Thanks in  advance!

gmmassey25 Wed, 05/26/2010 - 09:48
User Badges:

I have run into the same problem with another site and am trying to have them test a tunnel while utilizing the nat policy commands.

I will let you know what actually worked as soon as I can get the second company to commit to establishing a tunnel.


This Discussion