Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Site to Site - Policy NAT VPN Setup (remote scheme issue)

Unanswered Question
Jul 31st, 2012
User Badges:

I currently have a Site 2 Site VPN Tunnel with a company where the destination Scheme is (Company A) /24. 

I now have a situation where I need to setup another VPN  connection to (Company B) /24. 

My side:

Home Company: /24

Company A:      /24                   

Company B:      /24  ** This side doesn't really have an IT staff to attempt any Policy NAT, etc **

Problem:  I currently have a VPN Tunnel between Home Company  ----> Company A ** UP And RUNNING FOR A LONG TIME !!!!  **

                    I need to setup a VPN Tunnel between Home Company -----> Company B

                    ***** NOTE ***** - Company A & Company B will never need to communicate with each other.

Can someone give me a little guidance on best practice to make this work without Company B changing IP Scheme within their LAN?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nkarthikeyan Tue, 07/31/2012 - 11:21
User Badges:
  • Gold, 750 points or more

Hi Gregory,

You can do that with the NAT/PAT in Site to Site. See for for example

Customer B is should get NAT to say when it comes in the Site to Site tunnel. So that they can operate in the same LAN subnet. Only thing is in the VPN firewall they need to make these changes.

Your site IP - Cust B ( will be the site to site policy.

1st thing they have to NAT their subnet for the S2S VPN tunnel tyraffic to a different IP. Then You VPN ACL also will be pointing to the NAT/PAT range. So that communication will happen.

Please do rate if the given information helps.



AdmShatan Tue, 07/31/2012 - 11:47
User Badges:

K. Natarajan has a good plan there.  I've had to do this boh ways, and I can tell you that PAT or Policy NAT will work.

We have a vender that we VPN to, to submit orders to.  Since they already had a client with our IP scheme, we implemented a policy NAT.  We only had a few machines that accessed those orders, so we created a policy NAT that translated those address for a group of addresses to send them.  They in turn sent back to the NAT addresses, which our ASA translated back to the original machines.

Gregory Engle Tue, 07/31/2012 - 12:20
User Badges:

I have Poicy NATs in place for Tunnels that I share the same private IP scheme's with.  However, in this scenario, My COMPANY doesn't share the same IP Scheme.  I have another Tunnel setup, where the remote side of that tunnel shares the same space.

Here is my example:

My Network: /24

Company A: /24 *** Tunnel is up and running for a while ***

Company B: /24 *** QUESTIONS ***
Company C: /24   *** I Policy NATed to alter my side to be and this is working. ***

I am just a little confused on the setup for Company B Policy NAT for this scenario.  Please see new drawing that shows my 3 Tunnels as listed above.  Company B is the one I'm concerned with as I do not have /24 local to my facility, but I do have over another Tunnel.

Thanks for all responses,

AdmShatan Tue, 07/31/2012 - 14:15
User Badges:


     The work you did to make the scheme work for Company C is the same work that company B needs to do, or, you can change your space, and reconfigure all your tunnels.

AdmShatan Tue, 07/31/2012 - 14:18
User Badges:

That, or find out the subset of addresses you need to hit at company A and B.  For example:

Company A you need to get to servers at

Company B you need to get to servers at

That way, you can subnet the protected space down, and traffic can travel over the apporpriate vpn.  This only works if the subspaces don't overlap.

nkarthikeyan Tue, 07/31/2012 - 22:16
User Badges:
  • Gold, 750 points or more

Hi Gregory,

In customer B end they have to NAT the IP and send to your tunnel. That is the option over there to solve tis issue....

Their original LAN IP will not get changed for their internal users. Only change they have to do it in their firewall for lan ip to get translated with a different ip.

Please do rate if thr given information helps.




This Discussion