Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN: Create NAT in ASA 5525

Hello Guys,

It's my first time to post here and not an expert is cisco products so please bear with me.

I have this problem wiht our Site to Site VPN our client wanted us to make a NAT with our current
network setup cz it very hard for thim make ajustments. so basicallly out netowk layout is that
we have local network with multiple vlans and subnets, we have a local IP subnets of 172.1.X.0/24

LocalLAN     - CORESwitch -     ASA 5524         - Internet
(172.1.x.0/24)      (    (Inside:
                                                     (Outside: not reall IP

now our clients need us to use any of the 10.11.x.0/24 subnet for the site to site vpn. They asked to create a nat
translating my 172.1.x.0/24 netwotk to 10.11.x.0/25 to initiate the vpn. My question is that from my current network setup. Where do I setup NAT? I know this is possile to some versions of cisco's layer 3 swithes but the one that we have does have this feature. I Know that ASA fireall can do NATTING but steps to do it, I'm not so sure. Your help will be greatly appreciated.

Thank you.





Hall of Fame Super Silver

So you need to first setup a

So you need to first setup a site-site VPN. We define incoming traffic as "interesting" with an access-list and then call that access-list with a cryptomap to make it get encrypted and directed to the remote peer IP address.

Most often we exempt the "interesting" traffic from NAT. However when you do want to change it (as in your case) we also can do this NAT on the ASA. We create an object for your local networks and an associated NAT rule for traffic destined for the partner's network(s).

There's a pretty good example of this type of use case on this page: link. If you're using ASA 8.3 or higher, the NAT commands would need to be adjusted to account for the newer syntax.

New Member

Hello Marvin,Thank you for

Hello Marvin,

Thank you for your respond.

In my case, in creating the VPN what is your source network?

Thank you.




CreatePlease login to create content