Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Policy NAT question, ASA 8.2


I'm hoping that someone can straighten me out.  I don't have a ton of experience with ASA's and I've inherited one that I need to support.  Currently it has several IPSec tunnels terminating on it.  There is one tunnel that connects to an office with an network address conflict.  To get around this, the previous administrator put a many-to-one NAT in place:

access-list vpntraffictonat extended permit ip

access-list vpntraffictonat extended permit ip

nat (data) 2 access-list vpntraffictonat

global (outside) 2

So all the remote PC's on are only NAT'ed to192.168.108.2 when accessing resources on  Now they have requested the ability to connect to the remote PC's from  I assume that I need a Policy Static, so that I don't break traffic going over the other IPSec tunnels.

no nat (data) 2 access-list vpntraffictonat

no global (outside) 2

static (data,outside) access-list vpntraffictonat

My understanding is that this will allow two-way one-to-one NAT between these two networks?  Am I misunderstanding this use of the static command?

Everyone's tags (6)
Cisco Employee

Policy NAT question, ASA 8.2

yes, you are absolutely correct.

however, you may need to change your crypto ACL as well. If you just have host on your crypto ACL, you would need to change it to, and so is the other end.

Community Member

Policy NAT question, ASA 8.2

Thank you for the response.

Yeah, the SA's are already set up for the /24, which made me wonder why they didn't just setup the network static to begin with.  Thanks for the sanity check!


CreatePlease to create content