Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Having Problem in Policy NAT

Hi All,

  Please find my requirements below & the test results.

Existing Setup

  • Created site-to-site vpn (Client ASA ~ Data Ceter ASA).
  • Tunnel established. Only Client WRKS-A ( & Data Center Server-A ( are in the allowed hosts on VPN ACL
  • Able to transfer files from Client to with no issues.


  • Assume a situation where i am taking my Server-A ( for maintenance for 6hours, until the maintenance is complete, i will have the Server-B ( in place, so that i need not inform the client to add in his ASA.
  • Since is not in the allowed VPN, i have a POLICY-NATconfiguration in place on the Data Center ASA. So that the files transfer from will not interrupt.

static (inside,outside)  access-list CLIENT_VPN_Policy_NAT

access-list CLIENT_VPN_Policy_NAT extended permit ip host host

access-list nonat extended permit ip host host

    Test Results

    • Sucessful & able to be receive files from to after the policy NAT configuration & hence i decided that i will use this policy NAT configuration for ever so that the client will keep transferring the files only to for ever though is not in his allowed ACL.


    • I have an other client on a different vpn tunnel, where i have to permit ONLY to transfer the files from Issue here is, tunnel establishes, but the client is transferring the files to because of a POLICY-NAT for the ip is configured for the previous client.


    • Why does this POLICY-NAT reflects to the other tunnels when they also use the same IP

    I was assuming that POLICY-NAT will reflect only the tunnel where i configure, but this seems to be reflecting all whomsoever is using


    Re: Having Problem in Policy NAT

    This is the default behavior of Policy NAT. For incoming traffic, it won't consider the source IP mentioned in the Policy NAT ACL.

    As a workaround you need to apply filtering via access-lists. By default there is no ACL check for VPN traffic, you have to enable it via sysopt commands.

    Alternateively you can put an outbound ACL on the inside interface, allowing access to from the client only. Don't forget to permit eveything else in the end of the ACL



    Re: Having Problem in Policy NAT

    Thanks Farrukh. Let me try this & shall get back to you some time during next week.