Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Translation to Addess on Inside of Firewall

Greetings we have recently deployed an MPLS network for one of our customers, all internet traffic is routed out via a firewall managed by ourselves at the HQ location.

All remote sites have mpls addresses assigned in the range, all internal lan facing subnets have allocations in the /16 range.

At present if i form a remote access ipsec vpn connection with the firewall i can gain access to each router on its lan facing interface but cant get access to its mpls facing interface on the range. This still applies if i add the network to the split tunnel acl. I can ping devices on the network from the firewall.

For remote access vpn connections is it possible to put NAT statements on the firewall on an inbound direction to say translate the outside address of the remote site from 172.18.255.x to 10.130.x.x?

Any help would be much appreciated.

Hall of Fame Super Blue

Re: NAT Translation to Addess on Inside of Firewall

I'm not sure i fully understand your topology but if you want to translate incoming source IP addresses on a firewall

static (outside,inside)

would NAT coming in through the outside interface to


New Member

Re: NAT Translation to Addess on Inside of Firewall

Cheers for the replies guys i have attacthed a quick example of the current setup.

Each remote site has two subnets sitting behind the LAN interface of the router in the and ranges.

The MPLS facing interface has addresses out of the address space.

The firewall at the HQ has an inside address of as part of the HQ /24 subnet.

Now when i connect to the firewall via remote access vpn i can connect to every site that has an address in the address space but cant connect to any address in either the or range.

The response from the firewall indicates that there is now translation group

No translation group found for icmp src outside: dst inside: (type 8, code 0)

I do have a split tunnel list that covers both the and networks but i still receive the above response, hence my question to whether it would be possible to drop either a dynamic or static NAT rule that would match traffic comming in from a remote access vpn connection allowing me to get to both the and networks respectiively.


New Member

Re: NAT Translation to Addess on Inside of Firewall

An image would help

New Member

Re: NAT Translation to Addess on Inside of Firewall

Sounds like a routing/ACL issue. Can you ping the remote lans from the ASA? If you can, then you should also be able to access them from the VPN pool IP's, if not, check the ACL for the split tunnel to make sure the LAN addresses are listed and that the LAN segments can get back to the IP range of the pool. You shouldn't need to translate unless you have overlapping addresses on the MPLS.