Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Port Address Translation using IP Address of Interface

Unanswered Question
Mar 26th, 2012
User Badges:

Hello All,

If you're using the "PAT using IP Address of Interface" option as the translated address for an IPSec VPN tunnel...then what would you use as the Local Encryption Network?

Would it be what the Outside-Network Subnet ID is?


Source: DMZ-network/24

Destination: X.X.X.0/24

Translated Address:  A.A.A.66/28


Name (Remote Peer IP):  X1.X1.X1.193

Local Network:  outside-network/28????? (or could this just be the NAT'd to IP address A.A.A.66/28)?

Remote Network: X.X.X.0/24


Thank you for the help,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jouni Forss Tue, 03/27/2012 - 06:27
User Badges:
  • Super Bronze, 10000 points or more


In our case atleast, usually there is NAT0 / NAT Exempt for all L2L VPN traffic.

I guess you will just want to PAT all traffic from one site to the other? So basicly only one site would be establishing the connections in this L2L VPN setup? (Since you can't access host behind the PAT translations only)

To my understanding if you want to use some PAT address on your firewall as the source address for the L2L VPN traffic, you use the PAT address as your local network in the encryption domain configurations.

For example we have a setup where we have a /24 public network on our outside interface of ASA

Our encryption domain ACL therefore  has the whole /24 public network range as the source address for the L2L VPN. Some of the translations are simple PAT translations. Some are Policy PAT translations. Some are just static NATs.

Please rate if you found any information helpfull.

- Jouni

ementzer7 Tue, 03/27/2012 - 07:37
User Badges:

Thank you for the feedback/help Jouni,

Sounds like using the "outside-network" public IP address network will be ok as the Local Encryption network for the L2L VPN?

After that, our DMZ can be PAT'd to the outside IP address of the interface itself to their remote "local" network.

Then in theory all should work.

Does the above sound right to you?

Thanks Again!



This Discussion