Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Single address NAT from VPN

Hi All,

I have a scenario I have been trying to work out how to do and just cannot work out. I am sure someone on here with a lot more experience then me will answer this very easily.

We have an ASA5510 running version 8.25. This is in our central office in London. The London network has an ip address range of Connected to this via a site-to-site VPN we have a satellite office that has an IP address range of

We have now connected to our parent company via another site-to-site VPN connected to the same ASA5510. Their network has an internal range of It was our parent company that issued us with our range of addresses a long while ago so that it all fits in with the rest of the company.

We have resources (web servers) on their network that we use which work just as it all should. We now want to allow our satellite office to view those same web servers. The problem is that only 10.110 addresses can flow to our parent company.

I have configured the firewall at our central office and our satellite office to route across to our parent company via our network network and the packets are flowing just fine except that obviously once they reach our firewall they cannot go to our parent company because the 172.16.148 range cannot be routed there.

My idea is to NAT traffic from our satellite office to one of our local addresses before it goes over to our parent company network.

For example: If someone in our satellite office with an IP address of attempts to request a resource from then the request would go via the VPN to our firewall and then get NATed to before being passed on to our parent company network.

My question is what would the NAT configuration be to achieve this. I just cannot work out what type of NAT I would need or how to construct the command. It's probably PAT as it will be multiple addresses to a single address. Essentialy, all traffic from destined for should get NATed at our firewall to before being passed on.

Just to add, we already have this working from our Cisco 3000 Concentrator which is now going to be phased out hence trying to get this to work on our ASA. The satellite office has now been moved to the ASA and as of today our parent company has been moved to the ASA.

Many thanks in advance.



Single address NAT from VPN

Hello Lang,

The nat for that would be like this:

nat (outside) 11 outside

global (inside) 11

So all users on the outside from the subnet /22 will be natted to the inside to

Hope this helps ( Do not forget the keyword outside on the nat (outside)



Julio Carvajal
Senior Network Security and Core Specialist
New Member

Single address NAT from VPN

Many thanks for that but I have a question.

Will that only NAT if the request is destined for the subnet. There are actually other VPNs connected to the firewall where it needs to keep it's original IP address of The only time it should NAT is if it is going on to the subnet.

Super Bronze

Re: Single address NAT from VPN


Then you should do a Policy NAT from outside to inside specifying the traffic with access-list

In this case using the above example the configuration would look something like this

access-list VPN-POLICY-NAT permit ip

global (inside) 11

nat (outside) 11 access-list VPN-POLICY-NAT

The above configurations access-list tells the ASA to apply the NAT of ID 11 only when traffic is coming from outside interface from network to inside network

To my knowledge the only thing that could override this configuration would be a NAT0/NAT Exempt configuration if it is somehow overlapping the above networks.

Please feel free to correct me but the above NAT configuration seemed to me what you were looking for

- Jouni

New Member

Re: Single address NAT from VPN

Many thanks for all your help. The commands that worked in the end were:

access-list VPN-POLICY-NAT permit ip

global (outside) 11 netmask

nat (outside) 11 access-list VPN-POLICY-NAT

So very similar except it was (outside) instead of (inside) on the global command. I couldn't have worked it out without the help from you guys.

Best Regards


CreatePlease to create content