Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA static to indirect subnet / return traffic without default route NAT help

I am having touble with a NAT concept. What I have is a 3rd party software VPN product that basically tunnels encapsulated traffic to/from a server sitting inside the network. Right now this traffic utiluizes a physical interface on the ASA5510, but I need the interface for another project.

What I have is this:


                         |                           |

                         |                           |-Vlan1

                         |                           |


Currently the 3rdpartyvpn server's default gateway is set to the dedicated ASA interface and routes are configured on the server itself for the internal subnets.

What I want is this:





                                                    |-vlan2 (3rdpartyvpn here)

In this senario I'll need to configure the 3rdpartyvpn server's default gateway to be the gateway for the vlan. I know a defualt route on the 4507 would take care of this, but in this case, that isn't an option.

There is a static for the 3rdpartyvpn:

static (3rdpartyvpn,outside) <public> <private> netmask

But as expected, the traffic comes in with its real IP source address and without that default route, doesn't return.

What can I do to translate that traffic?

I'm thinking something along the lines of a nat outside, but am having trouble with the mechanics.

I have:

global (outside) 1 interface

global (guest) 1 netmask

global (netmotion) 1 interface

nat (guest) 0 access-list nonat_guest

nat (guest) 1

nat (inside) 0 access-list nonat

nat (3rdpartyvpn) 1 172.<private>

I would appreciate being pointed in the right direction! TIA!


Re: ASA static to indirect subnet / return traffic without defau

Hi Bro

You can still maintain the first diagram. To do this, you could utilize the subinterface method for this, as shown below;

Note: Assuming Ethernet 0/2 is used here;


interface Ethernet 0/2

no ip address

no nameif

no security-level


interface Ethernet 0/2.2

description ### Link to Third Party VPN Server ###

vlan 2

ip address

nameif 3rdpartyvpn

security-level 10


interface Ethernet 0/2.3

description ### RSVD for New Project ###

vlan 3

ip address

nameif newproject

security-level 10


That means the external port of your third party VPN Server and your new project, will share the same physical interface i.e. Ethernet 0/2. If you don't like this approach, then you could share the guest interface instead.

If you refuse to point your default gateway of your third party VPN Server to the L3, then this won’t work. This is because the link between the Router and the Layer 3 isn't in VLAN 2 as well. By the way, why do you have a Router between L3 and the Cisco ASA FW?

I’m assuming you have no more available ports in the FW and Router.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
CreatePlease to create content