Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to configure opposite NAT policies on the same ASA.

Issue : Our company is currently in the process of migrating all the vendor VPn traffic from concentrators to ASA -5540s. Our vendors connect using either Clientless , Client based and /or Site2Site.

All the 3 VPN configurations need to exist on the same appliances.

We have currently have a stable environment set up for Clientless and IPSEC client where vendors connect to real addresses. However our Site to Site connections ( which initally ) existed on a concentrator needs to be moved to the same ASA. The site to Site masks internal addresses by natting them to a public address range 168.244..0.0 /16

Is there a way to configure ASA to nat only Siteto Site traffic and not the Client and Clientless traffic .

One option our team has come up with is to create a new DMZ on the ASA and route traffic pointing to the new DMZ range.

Is there any otherworkable solution ?

Thanks in advance



Re: How to configure opposite NAT policies on the same ASA.

Not sure your ASA version. If it is running early than 8.3, You can configure policy static NAT to only nat the traffice for site to site VPN.

1. define a ACL to include all site to site traffic

access-list s2s permit ip

access-list s2s permit ip

2. configure policy static nat

static (inside_interface_name, outside_interface_name) netmask access-list s2s

Here is command ref

8.3 code can do the same but the syntax is different.

CreatePlease login to create content