Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT Question

We are using a Cisco 3015 Concentrator. My situation is this:

A remote network, 7.x.x.x, does not want to NAT on their end. We want them to NAT to 172.16.x.x, so all incoming traffic through their tunnel would appear to be coming from this address, 172.16.x.x. They refuse to do this. Since they refuse, all incoming traffic is coming from the 7.x.x.x address. Is their a way I can NAT their incoming address on my end? In other words can I convert the 7.x.x.x address to the 172.16.x.x address as it enters my end?

I am familiar with the fact that our Concentrator can NAT our internal address's, in fact we do it on a majority of our tunnles. However, I need to do just the opposite of that. I need to NAT an incoming address to an adress that I want to see it is. Thanks for the help.

New Member

Re: NAT Question


I wanted to do exactly the same thing with our VPN3030 box.

Here's what I've learned ...

LAN-to-LAN NAT on Cisco VPN Concentrators translate source IP on the PRIVATE interface, before encrypting. They do not allow for translating the source IP on the PUBLIC interface after decrypting.

In short: you can't do it with Cisco VPN concentrators. TAC confirmed this for me.

I'm looking into being able to provide this functionality through a router or pix. If it works, I'm moving all my L2L VPN's to the router or pix immediately.

Since this is such a bad deal for Cisco NOT to have this functionality on their VPN products, I would expect the company to respond fairly quickly with the added feature set.

Hope this helps.


New Member

Re: NAT Question

Thanks a lot. I will stop myt search here. You have been very helpful.