Cisco Support Community
Community Member

Can a 3015 NAT internal private addresses to the outside public address?

I have only one public IP address my ISP gave me which is configured on the outside interface of my 3015 concentrator. Inside I use a private network.

I need to establish an IPsec VPN lan-2-lan tunnel to another company who does not allow routing of private addresses in their network, so they told me I either need to get a small IP range from my ISP and use one of those extra addresses to NAT to, or if I can't get another IP address, that possibly I could NAT my private addresses to the existing outside public address.

Can I do that with this 3015 - can I NAT (or PAT) my inside private network/addresses to the single outside public address configured on the public interface?


Re: Can a 3015 NAT internal private addresses to the outside pub


Yes you can, follow the link below for a configuration guide:

Please rate if this helped.



Community Member

Re: Can a 3015 NAT internal private addresses to the outside pub

Thanks for responding. I read through the config document you recommended and it doesn't address what I need to do. That document has the sites NAT'ing to someother network, not the outside asddress of the 3015 like I need/want to do.

My inside network is

My 3015 outside ISP supplied address is (this is just an example).

Business partner's inside network 164.7x.0.0

The business partner who needs access to several hosts on my will not accept routing in his network for So can he send data to, which is the outside address of my 3015 (it is also the peer address that he is configuring his lan-2-lan tunnel to connect to), and can I set up NAT'ing to translate my to for his 164.7x.0.0 traffic

Is there another guide you know of that will help with this, or do I use the guide you offered and just configure my 3015 with the addresses/subnets I need? The business partner shouldn't have to do anything on his end.

Hall of Fame Super Blue

Re: Can a 3015 NAT internal private addresses to the outside pub


The problem with this is that if the partner sends traffic to your public IP address how will your VPN concentrator know which 192.168.3.x host that traffic is destined for.

If you need to present a number of hosts on your internal network then you have a problem with this set up. On the ASA/Pix you can use port forwarding which allows you to use one Public IP address to serve many private IP addresses on different port numbers but i'm not sure you can do this on the VPN 3000 with IPSEC. Worth checking, but it still relies on each 192.168.3.x host offering services on different ports.

Perhaps you could talk with your business partner. They might not route to but they might be happy to route to another private IP range. You could then use those to present your internal hosts.



CreatePlease to create content