Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure Policy NAT for VPN traffic on PIX/ASA

Core issue

With Policy NAT, the source address of interesting traffic can be changed to something else, especially in the case where there are networks that overlap.


In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is 

  • Create an access-list for Policy NAT with real source and a destination IP address.

access-list POLICYNAT extended permit ip host
access-list POLICYNAT extended permit ip

  • Create a static command that states that when source is and destination is or, change it to

static (inside,outside) access-list POLICYNAT

  • Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example,

access-list VPN extended permit ip host
access-list VPN extended permit ip

  • Apply the crypto access-list to crypto map.

crypto map VPN 10 match address VPN

VPN Tunnel End Points



VPN Topology


Features & Tasks

Policy NAT

VPN Protocols


Version history
Revision #:
1 of 1
Last update:
‎06-17-2009 10:15 PM
Updated by:
Labels (1)
New Member

what about if same NAT ip is needed to be used for another client B?

then i get error

lets say after above config if i do same for another client B

static (inside,outside) access-list CLIENTB-POLICYNAT

it gives me error, that already in use,   how can i fix this? i am moving from CISCP VPN concentrator to ASA, where as in Concentrator this situation works.