Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.x AnyConnect VPN Client VPN and Double NAT

Got a little bit of a dilemma. Wondering if anyone knows how to do the following:

Got a host connected to an ASA in a datacenter via the AnyConnect VPN Client. No problems there. Trying to reach a host behind a MonoWall NAT. The MonoWall is already NATing behind an IP that the client can reach ok but I'd like to be able to reach the host from the VPN client via the IP address behind the MonoWall. Basically, it's setup like this: -- (MonoWall NAT) -- -- -- VPNHost)

I can ping ok. I can't ping

New Member

Re: ASA 8.x AnyConnect VPN Client VPN and Double NAT

The MonoWall would have to support no-nat based on access-list policy (set a rule to no-nat that host when destined to the VPN client host(s)) and then every intermediate hop would need a route to that host's no-nat address (, including the ASA. Of course, there's probably a reason NAT was implemented to shield that part of the network and now it's being circumvented.

New Member

Re: ASA 8.x AnyConnect VPN Client VPN and Double NAT

Thanks for the response, actually, it's to shield the rest of the network. By-passing NAT is not what we'd like. What I'm hoping for is for some way to change the source packet's destination to from the 192.x.x.x to the 10.x.x.x. Routing for 10.x.x.x is already in place. I'm trying to get each end point on each side to only deal with the local subnets that each end point is located in. Thanks.