Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC PAT overlapping with Internet PAT


i have a cisco ASA on which my company internet is running.

nat (INSIDE) 1 access-list NAT

global (OUTSIDE) 1

access-list extended NAT permit ip any

now i have to configured IPSEC VPN on same ASA

over the VPN i have to access destination IP from source IP 10.x.x.x

so i made

nat (INSIDE) 2 access-list SONI

global (OUTSIDE) 2

access-list SONI extended permit ip host

Now what happening is, my traffic is getting PAT to and going to internet, instead of patting to and going to IPSEC TUNNEL.

so tunnel not establishing.

how can i force second GLOBAL to activate for my VPN destination  and PAT to when i access the destination from my PC on 10.x.x.x

One solution i can think of is SWAP the sequence numbers of NAT and GLOBAL.

like make my internet NAT on SEQ 2 and my specific IPSEC SEQ on SEQ1

nat (INSIDE) 2 access-list NAT

global (OUTSIDE) 2

nat (INSIDE) 1 access-list SONI

global (OUTSIDE) 1

what other options i have? i dont want to bust internet traffic, so want some other seamless option.


IPSEC PAT overlapping with Internet PAT

Try and change the acl from:

access-list extended NAT permit ip any


access-list extended NAT deny ip host

access-list extended NAT permit ip any

CreatePlease login to create content