Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA behind Layer Three Switch, NAT public IP to itself

I'm building a transit network with our internet provider terminating on a layer 3 switch. The IP addresses below are all made up.


| ISP Router | ---------- | Layer 3 Switch |


And the ISP will route our public range ( to our layer 3 switch. From there, I can route this public range onto the outside of our ASA, which NATs the public IPs onto the private IPs of the servers in my LAN.


| Layer 3 Switch | ---------- | Cisco ASA |

ip route


I think this will be fine for the servers behind the firewall, but I can't work out how to add a site-to-site VPN on the firewall. Obviously I can't route to over the public internet, but I can't see how to get the firewall to see an incoming packet for one of the public IPs, and treat that as if it was sent to the Firewall. Do I need a static NAT statement from the public IP ( to the private IP of the firewall (

Has anyone else ever come across this problem? Any ideas?

  • WAN Routing and Switching
Everyone's tags (3)

Hello, The NAT statement will



The NAT statement will not be done on the ASA as it has a private IP address on the outside interface.


So you will either need to tell the ISP to do some sort of DMZ capability to one on the public IP address they have and then just wait for the packets to arrive to the Firewall.

Nat traversal will be used here to make this happen through a NAT device.


This is a common scenario but NAT wil be needed here to make it happen at some place :)





Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura