Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ipsec tunnel + NAT


I have given a task to setup a site-site VPN tunnel between my site and external vendor. Vendor wants the source IP to be a valid ISP IP instead of internal address. My question can i NAT the source at my end to the same IP which is acting as VPN Gateway (where the tunnel terminates in my ASA) i.e natting the source to the interface? will that work?

My source IP :

AAS Interface IP (acting as VPN GW for site-site vpn) : x.x.x.x

Source will NAT to : x.x.x.x




Ipsec tunnel + NAT

Hello Sridhar,

what do you mean by valid ISP IP instead of internal address.

please let us know what is ur intside and outside IP's

New Member

Ipsec tunnel + NAT

vendor doesnt want to use the internal IP (in my case to connect, instead of that he would like to use a public IP. My question is if i Nat my source IP ( to the same interface which is acting as VPN GW will that work? if this recommened?

Super Bronze

Re: Ipsec tunnel + NAT


You can use the your VPN Devices public IP address on the L2L VPN connection also but you will have to be carefull with the NAT configuration.

You would have to configure either Static PAT , Static Policy PAT or Static Policy NAT

You should NOT configure Static NAT using the interface IP address (of the ASA?) or you will potentially cause problems with traffic forwarding.

If you have other free public IP addresses then you can naturally use them for the configurations also.

EDIT: As stated above if this L2L VPN serves only connection from your site to the remote site then you probably wont need any additional NAT configurations as the internal hosts traffic should match the basic Dynamic PAT rule you have in place for any outbound traffic. If the remote site needs to form connections to your site then you would need some NAT configuration mentioned above.

- Jouni

New Member

Ipsec tunnel + NAT

If vpn setup is on ASA then I guess what your vendor is asking for is the IP of your Outside interface of your ASA (which is a most likely a public IP or ISP given IP). You do not require a NAT since it probably exists if your internal IP (i assume 10..x.x.x range) have access to the internet. let us know if my assumptios are not currect and then clarify.

CreatePlease to create content