How to configure opposite NAT policies on the same ASA.

Unanswered Question
Sep 9th, 2010
User Badges:

Issue : Our company is currently in the process of migrating all the vendor VPn traffic from concentrators to ASA -5540s. Our vendors connect using either Clientless , Client based and /or Site2Site.

All the 3 VPN configurations need to exist on the same appliances.

We have currently have a stable environment set up for Clientless and IPSEC client where vendors connect to real addresses. However our Site to Site connections ( which initally ) existed on a concentrator needs to be moved to the same ASA. The site to Site masks internal addresses by natting them to a public address range 168.244..0.0 /16

Is there a way to configure ASA to nat only Siteto Site traffic and not the Client and Clientless traffic .

One option our team has come up with is to create a new DMZ on the ASA and route traffic pointing to the new DMZ range. /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Is there any otherworkable solution ?

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Thu, 09/09/2010 - 11:00
User Badges:
  • Gold, 750 points or more

Not sure your ASA version. If it is running early than 8.3, You can configure policy static NAT to only nat the traffice for site to site VPN.

1. define a ACL to include all site to site traffic

access-list s2s permit ip

access-list s2s permit ip

2. configure policy static nat

static (inside_interface_name, outside_interface_name) netmask access-list s2s

Here is command ref

8.3 code can do the same but the syntax is different.


This Discussion