Cisco Support Community
Community Member

ASA 5510 8.4 Ipsec VPN and NAT


I have a scenario in the attached.

I have an active VPN between my site and to our development site.

as our project progress. I have to setup this type of site. please see the attached file.

network is connected trought our router via E1 link and

the host address and is configured to access

the test server to another place. (please see attached).

I would like to configure and to our development team which is

on ASA 5510, which we have active VPN link. is it possible to nat this address to VPN?

this is my ASA 5510 Configuration:

ASA Version 8.4(2)


hostname PLFW2

enable password OugAcj/cMWkjv4CJ encrypted

passwd OugAcj/cMWkjv4CJ encrypted



interface Ethernet0/0

nameif Outside

security-level 10

ip address


interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.X.X


ftp mode passive

clock timezone WAT 1

same-security-traffic permit inter-interface

object network Outside_GW


object network Bucharest_LAN


object network SITEA

subnet 192.168.X.X

description EDITEC_LAGOS

object network TESTSRV

host 192.168.X.X

description editec_test_srv

object network GLO_VTU


description GLO_editec_Lagos

object network GLO_IP_TEST_APN


description GLOAPN

object network Production_GLo


description Production_Glo

object network Test_Server_Glo


description Test_access

object network GloApn_Network


object-group network DM_INLINE_NETWORK_1

network-object object Airtel_Test

network-object object TESTSRV

object-group network DM_INLINE_NETWORK_2

network-object object Production_GLo

network-object object Test_Server_Glo

object-group network DM_INLINE_NETWORK_3

network-object object Production_GLo

network-object object Test_Server_Glo

object-group network DM_INLINE_NETWORK_4

network-object object Production_GLo

network-object object Test_Server_Glo

access-list Outside_cryptomap extended permit ip object SITEA object Bucharest_LAN

access-list global_access extended permit ip any any

access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_4 object Bucharest_LAN

no failover

nat (Inside,Outside) source dynamic DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_3 destination static Bucharest_LAN Bucharest_LAN description GLO_NAT_To_Bucharest

access-group Inside_access_in in interface Inside

access-group global_access global

route Outside 1

route Inside 1

route Inside 1

route Inside 1

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart


crypto map Outside_map 1 match address Outside_cryptomap

crypto map Outside_map 1 set peer

crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 1 set ikev2 ipsec-proposal 3DES DES

crypto map Outside_map 1 set ikev2 pre-shared-key *****

crypto map Outside_map interface Outside

crypto ikev2 policy 1

group-policy GroupPolicy_86.120.198.157 internal

group-policy GroupPolicy_86.120.198.157 attributes

vpn-tunnel-protocol ikev1 ikev2

tunnel-group type ipsec-l2l

tunnel-group general-attributes

default-group-policy GroupPolicy_86.120.198.157

tunnel-group ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****


CreatePlease to create content