Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Port Address Translation using IP Address of Interface

Hello All,

If you're using the "PAT using IP Address of Interface" option as the translated address for an IPSec VPN tunnel...then what would you use as the Local Encryption Network?

Would it be what the Outside-Network Subnet ID is?


Source: DMZ-network/24

Destination: X.X.X.0/24

Translated Address:  A.A.A.66/28


Name (Remote Peer IP):  X1.X1.X1.193

Local Network:  outside-network/28????? (or could this just be the NAT'd to IP address A.A.A.66/28)?

Remote Network: X.X.X.0/24


Thank you for the help,


Super Bronze

Port Address Translation using IP Address of Interface


In our case atleast, usually there is NAT0 / NAT Exempt for all L2L VPN traffic.

I guess you will just want to PAT all traffic from one site to the other? So basicly only one site would be establishing the connections in this L2L VPN setup? (Since you can't access host behind the PAT translations only)

To my understanding if you want to use some PAT address on your firewall as the source address for the L2L VPN traffic, you use the PAT address as your local network in the encryption domain configurations.

For example we have a setup where we have a /24 public network on our outside interface of ASA

Our encryption domain ACL therefore  has the whole /24 public network range as the source address for the L2L VPN. Some of the translations are simple PAT translations. Some are Policy PAT translations. Some are just static NATs.

Please rate if you found any information helpfull.

- Jouni

Community Member

Port Address Translation using IP Address of Interface

Thank you for the feedback/help Jouni,

Sounds like using the "outside-network" public IP address network will be ok as the Local Encryption network for the L2L VPN?

After that, our DMZ can be PAT'd to the outside IP address of the interface itself to their remote "local" network.

Then in theory all should work.

Does the above sound right to you?

Thanks Again!


CreatePlease to create content