Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT over VPN

We have a support provider that will only use public IP space for support. So, when using a VPN tunnel for this support, we'll need to configure NAT from public address we give the provider to the private address of the device they access.

The only public space we have is the range that is assigned to the outside interface of the ASA. How can I configure an address from this range to be used in a NAT configuration over VPN.

The provider will initiate a support session over a tunnel to a public IP address, which I will then need to NAT to the private address.



Hi, So all you need is you



So all you need is you need to do NAT @ your end to a public address... say is the host you are doing a static NAT to and your destination network is 194.x.x.x....

your crypto acl should be mapped to public ip address instead of real address.....


access-list crypto_acl extended permit ip host host 194.x.x.x


so you need to have NAT statements and crypto_acl matching on the other side as well....




New Member

Then what would the NAT

Then what would the NAT statement look like for doing this over a tunnel in 8.3 code?

It would be something like

It would be something like


nat (inside,outside) source static <local ip / object name> <mapped ip/object name> destination static <destination real ip> <destination real ip> no-proxy-arp


either you can create a object and add objects else do by mentioning ip