Static nat having subnets for remote and local

Unanswered Question
Aug 20th, 2010

Hi Everyone,

Currently there about 120 hosts ( subnet) in our side that are natted on the outside interface of the firewall. I have created a VPN tunnel that allows and to go through the VPN tunnel by natting it via the vpn interface of the firewall. But those particular hosts do not go  through the vpn tunnel since natting is allowed through the outside interface.

Can i allow the entire and to be statically natted via one single IP towards the Tunnel. I  realize that static nat is given priority than normal nat. I tested with one static nat --> --> vpn tunnel and it works inspite the is also natted on the outside interface. Now it is going out the vpn  tunnel as well as outside since I have assigned policy nat on the static nat to go towards the vpn tunnel. But i cant do this all 120 hosts. It is not practical.

Can i do this

( is the remote lan public address

access-list site_to_site_vpn extended permit ip

static (inside.vpn) access-list site_site_vpn

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
praprama Fri, 08/20/2010 - 20:34


I assume your topology is something like this:







So you already have a

nat (inside) 1

global (outside) 1 interface

Now you would like to policy NAT this subnet for the VPN to be NATed to on the vpn interface. If this is what you need then you would need to create a DYNAMIC PAT. The STATIC PAT that you have configured will not work because in the ACL you have specified the source as an entire SUBENT but the translated IP is just one IP address and not a subnet.

Also, you would need a route for the remote VPN subnet pointing out the vpn interface.

For information on DYNAMIC PAT, please refefr the document below:

you will have to specify this ACL site_to_site_vpn on the nat command and a global for the vpn interface. Let me know if it works.



sidcracker Fri, 08/20/2010 - 20:41

That was the first method i tried using dynamic PAT with policy nat. But they were not able to ping the tunnel remote lan. when i did a static nat for one of those IPS via the tunnel with policy nat it worked.


sidcracker Fri, 08/20/2010 - 20:45

There is another policy nat via dynamic PAT going to the outside interface. So another policy nat will not do the trick

praprama Fri, 08/20/2010 - 21:39

Can you run a packet-tracer with the dynamic policy NAT configured? And paste the output here?



Nagaraja Thanthry Sat, 08/21/2010 - 00:17


If I understand your topology correctly, you have two separate interfaces,

one for VPN and one for outside internet access (please correct me if I am

incorrect). You would like all your internal clients to access the remote

LAN using a different IP. Could you please check the following:

-- Make sure that the firewall has a route statement that points remote

subnets to the VPN interface

router vpn

-- Make sure that you have a proper NAT statement for the communication

between inside and remote subnet

access-list pnat permit ip

access-list pnat permit ip

global (vpn) 10

nat (inside) 10 access-list pnat

-- Make sure that you have configured your cryptomaps correctly to include

the mapped address ( on both sides

Once the above steps are verified (on both ends), you should be able to

communicate between the inside clients and the remote subnet without any




sidcracker Sat, 08/21/2010 - 03:54

Hello Nagaraja,

Sorry for not being able to reply quickly. I think what you are asking me to do is a another policy nat with global. Well that will not work as i tried it before. To give you an understanding of the topology.




ASA Firewall --------- VPN Router ------- internet

There is a NAT on the outside interface pointing to the Interneton the FW for 120 hosts in that subnet. That is done using policy nat as you mentioned. That is working perfect. Now the customer wants to NAT those 120 hosts through another interface which is via the vpn interface towards the vpn router. Here is cant use policy nat again since it wont work.

So what i came up with is using nat exemption on that interafce for that subnet... What do you reckon?? I tested with static nat with subnets and it wont accept it.


praprama Sat, 08/21/2010 - 07:33

My doubt is why the static policy NAT is working but not dynamic policy NAT. As Nagaraja said, if you have the route for the remote LAN subnet pointing out through the vpn interface, then both should work. This is the reason why i wanted you to run a packet-tracer with dynamic policy NAT configured so we can see where exactly the packets are getting routed (outside or vpn interface).

Again, just to clarify one thing. If we use a dynamic policy NAT, traffic can be initiated only from your LAN ( to the remote LAN (



Nagaraja Thanthry Sat, 08/21/2010 - 08:21


So, the VPN is getting terminated on a different device (VPN router). Is

that correct? If the VPN traffic is leaving on a different interface, then

you should be able to apply the Dynamic NAT without any issue as the NAT

rules are applied after determining the exit interface not globally. If you

were not able to PING from your local subnet to remote, based on your

settings, I am assuming that you did not have "inspect icmp" enabled under

the policy map. Can you please give it a try again (dynamic policy) with

ICMP inspection enabled?



sidcracker Sat, 08/21/2010 - 16:24


inspect icmp is configured on the firewall. If same traffic goes out two interfaces via wont it look at the priority settings? Static NAT is given more priority than regular NAT or policy NAT. So when i configured static NAT is worked because it has higher priority. Unfortunately I cant use static nat since I have to allow 120 hosts individually and it wont accept subnets as the source.

NAT exemption is given higher priority than any thing else.

The nat policy going out is --> any ---> interface outside (Policy nat)

the nat policy on the vpn is --> ----> interface vpn (policy nat) doesnt work only for those 120 hosts otherwise everything else works.

static nat works for hosts included in the outside interface nat.

Nagaraja Thanthry Sat, 08/21/2010 - 16:32


Can you please post the relevant NAT configurations here? Also, please post

the output of "show route" command.



sidcracker Sat, 08/21/2010 - 21:46

Hi Nagaraja,

nat (inside) 100 access-list nat_outside

global (outside) 100 interface

access-list nat_outside extended permit ip host any
access-list nat_outside extended permit ip host any
access-list nat_outside extended permit ip host any
access-list nat_outside extended permit ip host any
access-list nat_outside extended permit ip host any
access-list nat_outside extended permit ip host any

access-list site_to_site_vpn extended permit ip

nat (inside) 1 access-list site_to_site_vpn

global (dmz) 1

The above policy nat doesnt have any affect on

access-list static_nat_vpn extended permit ip host

static (inside,dmz)  access-list static_nat_vpn

The above static nat now works. Now I can send traffic out the outside interface as well as the dmz interface.

Nagaraja Thanthry Sun, 08/22/2010 - 02:39


What kind of traffic are you trying to send from inside to the remote vpn

clients? The only difference between the dynamic NAT that doesn't work and

the one that works is the first one is unidirectional and the second is

bidirectional. I see your point that since the inside-to-outside access-list

also contains the same IP addresses, it may not look at the other dynamic

statements. But, by design, it should not behave that way unless there is

another conflicting NAT statement on the DMZ interface. (Something like

"global (dmz) 100 interface" statement). Can you run a packet tracer (after

putting the dynamic translation back in there and removing the static/nonat

for that traffic) and post the output here? The command would be:

packet-tracer input inside icmp 8 0 detailed



sidcracker Sun, 08/22/2010 - 21:43

HI Nagaraja,

By design both are the same. The static is unidirectional since I have not allowed access-lists to allow outside to enter the dmz. I really cant do much of troubleshooting on this one since its production and have to ask customers consent. But I will get back to you on this one.

Thanks a bunch for your help. Will mail you soon



This Discussion