Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT through vpn tunnel

Hi all

If I want to NAT to a pool via a vpn tunnel on my ASA, is this OK?

I have done a nat from the original source addresses, destination original

then translates to source pool of addresses, destination original

Do I base my VPN tunnel phase 2 networks on the Natted address ?



Super Bronze

Re: NAT through vpn tunnel


If your Internet connection and VPN use the same interface on the ASA (which they usually do) then you should configure a Dynamic Policy NAT. You will have to specify the destination networks as the remote L2L VPN networks.

The reason for this is simply that if you might cause this translation to apply to your users Internet traffic and therefore potentially NAT them to a Private NAT pool and prevent Internet connecitivity.

And yes, you will use your NATed source address as the source for the L2L VPN interesting traffic in the Crypto ACL.

I am not sure what software you are using but the basic configuration format (that can differ depending on your current NAT configuration) could be

Software 8.2 (and older)

global (outside) 200

global (outside) 200

access-list POLICY-NAT permit ip

nat (inside) 200 access-list POLICY-NAT

Software 8.3 (and above)

object network NAT-POOL


object network PAT-ADDRESS


object-group network DYNAMIC-NAT-PAT

network-object object NAT-POOL

network-object object PAT-ADDRESS

object-group network SOURCE-NETWORKS


object-group network DESTINATION-NETWORKS


nat (inside,outside) after-auto 1 source dynamic SOURCE-NETWORKS DYNAMIC-NAT-PAT destination static DESTINATION-NETWORKS DESTINATION-NETWORKS

The above configurations are just rough examples of what the Dynamic NAT (+ PAT Overload) might look like on the ASA depending on the software

The PAT address is added here just incase the Pool is smaller than the source networks address space. Otherwise NAT pool might run out and connections could start failing.

Both configurations should be modified according to current configurations so that they are applied correctly.

- Jouni

CreatePlease to create content