Cisco Support Community
Community Member

[ASA] VPN with source nat


I'd need to set up site-to-site VPN using ASA 5505 and software 8.2.

LAN1 is, LAN2 is

The particular thing among the others I've ever set up is that I have to show up to LAN1 as, and not as

I have as NAT extempt rule, in order to make packet travel the ipsec tunnel, but how can I set up a NAT rule in order to modify LAN2 address and show up to LAN1 as 172.16.1.x instead of 10.2.0.x???

Thanks a lot


Super Bronze

[ASA] VPN with source nat


Is the remote end device also an ASA?

Do you have control over it?

You can (for example) do a Policy NAT on the remote site to achieve this

access-list L2L-VPN-POLICYNAT permit  ip

static (inside,outside) access-list L2L-VPN-POLICYNAT

Please also remember that you have to take this into account in the VPN configurations as the LAN2 will not be showing to the L2L VPN connection anymore with its original IP address.

You will have to modify the "crypto map match address   access-list on both side ASAs to reflect the NAT changes that you have just done.

Please rate if it was helpful

- Jouni

Community Member

[ASA] VPN with source nat

No JouniForss,

I don't have any access to remote router.

But If I have to ask them something, just tell me what to ask.

Ciao and thanks

Super Bronze

[ASA] VPN with source nat


Could you explain a bit more about the situation.

I mean like the following things

  • Whats the relationship with the 2 sites? Are you providing some service to them or they to you? Is the other site just another site of your company?
  • Why is there a need to NAT the network to Are you planning on using the network in your own LAN?
  • Is there any L2L VPN configured at the moment?
  • Have you configured a L2L VPN with the ASA before?
  • Does the remote site have a person able to configure the L2L VPN?

For one I would suggest that you handle the NAT at the local device of the network that needs to be visible with a different network/address to the L2L VPN connection.

You will also have to take into consideration this in the encryption domain configurations of the ASA and the remote router. This is ofcourse because the site1/site2 networks for the L2L VPN wont be the same anymore after the NAT has been applied.

- Jouni

CreatePlease to create content