Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN NAT question

I have a setup whereby there is a central ASA, and 2 remote sites.

This is hub and spoke, where there are only VPNs between the central site and remotes, not remote to remote.

The remotes communicate with each other also using "intra-interface".

Because of a subnet overlap between the 2 remotes, I need to NAT the traffic at the central site before the hairpin back out (between remotes).

Is it possible and how would I acheive that (NAT the incoming traffic from a remote VPN, before passing back out the other remote VPN)?


Super Bronze

Re: Site-to-Site VPN NAT question

Since the 2 remote LANs are having the same subnets, you would need to perform the NATing on the remote site, not on the central ASA.


Site A: --> NAT to

Site B: --> NAT to

On site A:

access-list vpn-nat permit ip

static (inside,outside) access-list vpn-nat

On site B:

access-list vpn-nat permit ip

static (inside,outside) access-list vpn-nat

Crypto ACL also needs to be changed to the NATed subnets.

Hope that helps.

Cisco Employee

Re: Site-to-Site VPN NAT question

hi if i undersatnd you right this is what you have

head end network: A

remote site 1: B

remote site 2 : B

so the first problem you will encounter is as to how you will diffrentitae site 1 and site 2 for tunnel with A, so i assume  you did it by natting one of the remote networks to C

for example

remote site 1 natted : C

so you have 2 tunnels A-C and A-B

you basically what you are doing is natting enotre B to C before sending it out in the tunnel

this will solve the problem of having tunnel between A-B(C or Site 1) and A-B(site 2)

now to have site 1 and site 2 talk to each other

all you need is same-security permit intra-interface

hope it helps

New Member

Re: Site-to-Site VPN NAT question

I'd better explain further.

Head end - Site A  (subnets in range

Remote 1 - Site B (subnets in range

Remote 2 - Site C (subnets in range

It turns out that Site B also has internal subnets of

Site B's don't need to communicate down the VPNs, but Site C has a need to communicate with Site B. Hence it won't route properly if we send Site C down the VPN as

There are potentially others sites coming online with similar problems.

So basically I was trying to establish if it was possible at Site A to NAT Site Cs range before sending onto Site B (communication is always initiated from Site C). When I look in ASDM it asks for the originating interface as part of the NAT parameters. In this case it would be the Outside, but given the traffic is going back out of that interface (albiet down a VPN) I'm just not sure if this is possible.

Sorry not an ideal setup, but I have taken it over and for various reasons we can't have to hub & spoke the VPNs.

Cisco Employee

Re: Site-to-Site VPN NAT question

sorry forgot to mention u need to nat site 2 to something like D too