L2L Policy NAT but maiking it use PAT

Unanswered Question
Jul 9th, 2010
User Badges:

The Following config will do Policy NAT on a L2L tunnel, but I want to

PAT from one IP. So for Example instead of NATing, I want to PAT for all inside clients before crossing tunnel. Can this be done?? How? I tried setting the static to but get errors about overlapping global........

In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is 

  • Create an access-list for Policy NAT with real source and a destination IP address.

access-list POLICYNAT extended permit ip host
access-list POLICYNAT extended permit ip

  • Create a static command that states that when source is and destination is or, change it to

static (inside,outside) access-list POLICYNAT

  • Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example,

access-list VPN extended permit ip host
access-list VPN extended permit ip

  • Apply the crypto access-list to crypto map.

crypto map VPN 10 match address VPN

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 07/09/2010 - 17:35
User Badges:
  • Cisco Employee,

Please kindly be advised that with PAT, the traffic can only be initiated from the PAT end of the L2L tunnel, not the other way round since PAT is dynamic.

Here is what can be configured:

- As per your example, local subnet is, remote subnet is, and you would like to PAT the subnet to

I will also use the same ACL: POLICYNAT:

nat (inside) 5 access-list  POLICYNAT

global (outside) 5

Crypto ACL will then be "permit ip host", and "permit ip host host", with mirror image ACL on the other side of the L2L tunnel.

Hope that helps.


This Discussion