VPN with NAT on ASA5505

Unanswered Question
Aug 18th, 2010

I have a corporate network with, and We need to establish VPN tunnels to several sites and each has the same network locally, I am able to get one connected via site to site VPN tunnel but without NAT.Incidentally, each remote site is a Sonicwall TZ170 to 210 model.

What do I need to do to NAT every remote site so that they can reach our servers at 192.168.200.x/24 and we can reach their servers at 172.16.100.x/24? We need to be able communicate bi-directionally and servers at either end need to be statically addressable.

Below is part of the config

ASA Version 8.0(4)


name {removed IP} Firewall-FAY description Fayetteville NC Sonicwall TZ180 Firewall

access-list outside_dyn extended permit ip
access-list split extended permit ip
access-list nonat extended permit ip
access-list nonat extended permit ip
access-list nonat extended permit ip FAYLAN
access-list guest->internal extended deny ip
access-list mbnav_splitTunnelAcl extended permit tcp host eq 3389
access-list outside_1_cryptomap extended permit ip FAYLAN


global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1
nat (guest-wlan) 1
static (inside,outside) tcp interface 3389 3389 netmask
static (inside,outside) tcp interface www www netmask
static (inside,outside) tcp interface ftp ftp netmask
static (inside,outside) tcp interface https https netmask
access-group in->out in interface outside
route outside {removed external IP} 1


crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer Firewall-FAY
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 2147483647
crypto map outside_map 65535 ipsec-isakmp dynamic DYNO
crypto map outside_map interface outside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 08/19/2010 - 02:49

Since the remote ends are the one who does not have unique subnet, the NATing needs to be done on the remote end. It can not be done on this ASA end. Because as far as ASA is concern, the remote subnets are all the same subnet if they are all in subnet, and there are no way to differentiate between them.


This Discussion