Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT issue with VPN Site ti Site (Remote LANs with IP address)


I have a ASA5510 to connect clients to my compagny. I use vpn ipsec site to site with different VPN equipments to the other side (Cisco, Sonicwall, Zyxel, Checkpoint ... ).

For every remote Lan I translate the network client in an only IP address

For instance

Client1    Dynamic PAT (hide)     a.b.c.1/24

Client2     Dynamic PAT (hide)     a.b.c.2/24

Client3     Dynamic PAT (hide)     a.b.c.3/24


Everything is working fine but now I have a new client with the same IP network as client1

I tried

Clientn    Dynamic PAT (hide)     a.b.c.n/24

But when I did it the client1 loose the connection and i had to remove the clientn network ...

Do you have an idea to permit same remote IP addresses to use VPN ?

For information i use ASDM to setupthe ASA.



Sorry for my english ...

Everyone's tags (4)
New Member

NAT issue with VPN Site ti Site (Remote LANs with IP address)

Ask the client to nat their network to something you're not already using.  Unless they are accessing a network on your side that is different from the network client1 is accessing on your side.  If that is the case you could create a rule that states if traffic coming from client1 to network1 then PAT to this IP address.  If traffic from clientn to networkn, then PAT to this IP address. 

New Member

NAT issue with VPN Site ti Site (Remote LANs with IP address)

Thank you William but I can't ask clients to Nat their networks and they all connect to the same network on my side:

Client1 Dynamic PAT (hide) a.b.c.1/24 connect to w.x.y.0/24

Client2 Dynamic PAT (hide) a.b.c.2/24 connect to w.x.y.0/24

Client3 Dynamic PAT (hide) a.b.c.3/24 connect to w.x.y.0/24

Clientn Dynamic PAT (hide) a.b.c.n/24 connect to w.x.y.0/24

At the beginning, I NAT the client's network to avoid that kind of problem and I don't anderstand why it is not working.

May I have to change the NAT type ?


Re: NAT issue with VPN Site ti Site (Remote LANs with IP address

Hi Laurent,

I'm afraid the ASA is not built to do something like that. Even If you manage to configure several nat rules so that the remote VPN addresses are mapped to different address ranges on your inside the ASA will have dificulties to decide, which of the identical remote networks are be chosen.

On IOS you can do something like that, the features you might want to take a look at are VTI, vrf-light and vrf-aware NAT. The VTI is a tunnel interface which represents an IPsec connection to one of your customers and is associated with a vrf. The nat configuration just needs to adress the vrf in addition to the outside-global, outside-local addresses, ip nat inside/outside on the interfaces as usual. The classical crypto map is replaced by tunnel-src/dst and a tunnel protection profile.

That's the best I can think of...


New Member

Re: NAT issue with VPN Site ti Site (Remote LANs with IP address

Hi Mika

I don't understand why the ASA has diffuculties to decide which remote networks to choose because the NAT IP address a.b.c.x is affect to just one client which is in only one crypto-map

Fron client

Client1 Crypto-map1 Dynamic PAT (hide) a.b.c.1 connect to w.x.y.x

Client2 Crypto-map2 Dynamic PAT (hide) a.b.c.2 connect to w.x.y.x

From my side

w.x.y.x response to a.b.c.1 in Crypto-map1 to (Client1) 

w.x.y.x response to a.b.c.2 in Crypto-map2 to (Client2)

The solution with VTI and VRF seems (to me) complicated to operate.


CreatePlease to create content