Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


Policy NAT on RA VPN?

I have the following scenario; due to a 3rd party issue they have no route to my Remote Access VPN IP POOL and their default gateway doesn't hit my ASA.

I want to enable NAT so that my VPN IP POOL is hidden behind the inside interface of the firewall (as they can route to that). Below is a snippet of my config but it doesn't work.. any ideas?

(The Remote Access VPN works fine to the rest of the network, details have been changed to protect the innocent ;))

interface e0

ip addr

sec level 0

nameif outside

interface e1

ip addr

sec level 100

nameif inside

ip local pool VPN_POOL mask

access-list NAT_VPN permit ip

global inside 10 interface

nat (outside) 10 access-list NAT_VPN

I think the issue is that I'm implementing "NAT & Global" from a low sec-level to a high, but you can't do this command with "statics" 'cause it complains that the subnet mask in the ACL of the source isn't a host.

Thanks in Advance,


Frequent Contributor

Re: Policy NAT on RA VPN?

In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is

Create an access-list for Policy NAT with real source and a destination IP address.

access-list POLICYNAT extended permit ip host

access-list POLICYNAT extended permit ip

Create a static command that states that when source is and destination is or, change it to

static (inside,outside) access-list POLICYNAT

Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example,

access-list VPN extended permit ip host

access-list VPN extended permit ip

Apply the crypto access-list to crypto map.

crypto map VPN 10 match address VPN


Re: Policy NAT on RA VPN?


Thanks for your response, but I don't think that'll do what I've asked.

I want to hide behind the interface of the firewall, I'm sure that...

static (inside,outside) access-list POLICYNAT

Means that if is the source, then the source nat will be

...also I want to nat the other way round... outside,inside not inside,outside ;-)