Nat question

Unanswered Question
Sep 8th, 2010


I have 2 offices (primary site and dr site) with an ASA 5505 in each.  From the primary site I have a VPN configured to a third party site.  The 3rd party site also has an ASA 5505.  There is a NAT pool configured on the 3rd party ASA which nats the main sites ip range to and then it gets routed to its destination. 

Primary site -

DR Site -

Third Party -

I want to configure the DR ASA to terminate a VPN to the 3rd party site also but if I try to use the NAT pool the ASA will not support it.

So my question, Do I have to configure a different NAT pool for this to work or is there some piece of magic I can do to utilise the existing nat pool.

the reason the nat pool has to be there is becuase the to access the services on that site the source address must be from the 10.94 pool.

hope that makes sense

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 09/08/2010 - 19:47


I'm sorry but I don't think that I understand your question.

You have a problem with NAT because it will overlap?

To get around overlapping you can use VRF-aware IPsec.

If you provide a sample drawing or explain a little bit more clearly, we can help you out.


agent2007 Wed, 09/08/2010 - 23:54

You can not assign a nat pool to different encryption domains

The Main site is being natted to ip pool in the 3rd party site

the dr site can not be natted as the nat pool cant be assigned to more than one subnet

I have asked the 3rd party provider for another subnet that I can use to nat the dr site to but they wont give me one so I need to figure out a way around this.

I'm not sure there is one.

vrf-aware ipsec sounds interesting.  would you mind telling me a bit more about it?

Many thanks


This Discussion