Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static Nat and VPN conflict


I could not quite find any information that was close enough to my problem that would enable me to solve it so hence I am now reaching out to you guys.

I have a Cisco ASA running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 .

I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .

Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100

Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.

I hope the above makes sense.


Static Nat and VPN conflict

Post your config for review:-

interesting vpn acl

static nat


vpn client pool

Community Member

Static Nat and VPN conflict


intersting VPN ACL

object-group network DM_INLINE_NETWORK_18

     network-object YYY.YYY.YYY.0

object-group network DM_INLINE_NETWORK_22

network-object UUU.UUU.UUU.0

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18

Static NAT

static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask


object-group network DM_INLINE_NETWORK_20

network-object UUU.UUU.UUU.0

access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 object-group DM_INLINE_NETWORK_20

VPN CLient Pool

No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.

I hope this helps


CreatePlease to create content