Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA-Static NAT inside Tunnel


Connecting VPN to customer. Customer has connection already to different

location that has overlapping network with ours, so they cannot route to

our subnet through tunnel. We have servers on our network that the

customer must access directly. Wish to use NAT to accomplish this.

Instead of connecting to our server's real ip addresses, the customer must

connect to a NAT address. We do not have enough public ip addresses to use

for statics on all of our servers, and wish to have our customer connect

to NATted RFC1918 addresses instead.

Will static (Policy NAT) work below? If not, how else should I configure this?

All addresses in this example are fictitious.


Site A (Local) information

Peer (outside interface): 2.x.2.1

PAT address for LAN traffic to Internet: 2.x.2.2

LAN Subnet: /24

Static xlates to LAN from RemoteCust: /24


Site B (Remote) information

Peer Address: 3.x.3.3

Remote LAN Subnet: /24

Remote Site has route to another location that uses already.

Remote must connect to NAT address at Local Site


ASA5510# sh run

: Saved


ASA Version 7.1(2)


interface Ethernet0/0

description External Interface - Connected to ISP router

nameif outside

security-level 0

ip address 2.2.x.x.255.255.248


interface Ethernet0/1

description Connected to LAN

nameif inside

security-level 100

ip address



access-list CustomerVPN remark **Encrypt This Traffic to Remote**

access-list CustomerVPN extended permit ip host

access-list CustomerVPNHost30 extended permit ip host



nat (inside) 0 access-list NoNat


global (outside) 1 netmask

nat (inside) 1



static (inside,outside) access-list CustomerVPNHost30



crypto ipsec transform-set CustomerTransform esp-3des esp-md5-hmac



crypto map CryptoMap 30 match address CustomerVPN

crypto map CryptoMap 30 set peer

crypto map CryptoMap 30 set transform-set CustomerTransform

Crypto map CryptoMap interface outside


isakmp identity address

isakmp enable outside

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 28800

isakmp nat-traversal 20


tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *****

Thank you,


  • VPN

Re: ASA-Static NAT inside Tunnel

when performing static NAT on the firewall the tunnel is not going to come up as the access-lists matching the interesting traffic on the routers will not match.

New Member

Re: ASA-Static NAT inside Tunnel

Hi Jamison,

I see your issue. Lets look at the VPN overlapping issues first. Let the remote network target a virtual subnet that doesn't physically exist, and route this to the ASA (If not the Default Gateway on the LAN already). Then place a static NAT on the ASA from this to the overlapping address, then create the crypto access-list. As NAT occurs before encryption and you are applying NAT first, you can leave out the NO-NAT access-list completely. For the servers and the remote site contacting you with not enough addresses, this could be an issue. The only way i think would be to check the ports utilised and produce static NATs that are port specific, allowing you to utilise the same public address more than once.

Let me know how this works for you :-)


New Member

Re: ASA-Static NAT inside Tunnel