Showing results for 
Search instead for 
Did you mean: 

asa site to site vpn with overlapping networks


I am trying to set up a site to site tunnel with overlapping networks. The customer has asked if I can use an public ip address (same network as the outside interface of the asa) - I dont want to use a public Ip address for this temporary deployment

I recall setting up a vpn site to site with overlapping networks in past (cant find my documentation)

I think I defined the following:

Natted inside networks to a ip address on the outside interface of the asa using something like

Build the tunnel and specify the source address of the tunnel to be

Is there anything else to it?

What type of nat would do the trick?

Any help would be greatly appreciated.



4 Replies 4

Jouni Forss


Can you reply with the source and destination networks. Or is there perhaps only a certain hosts that need to use the VPN on each end?

Anyway, reply with the real IP addresses/network on both end and I can check the NAT and encryption domain configurations.

What software are you running on the ASA? 8.2? 8.3? 8.4? or perhaps something older?

- Jouni

Inside,11, 45<----asa----> outside <-Internet> outiside <-vpn device?> ---

I am not familiar with their set up, but the only thing I was informed was that 10.250.11 might be used on their  end internally and if I could nat the hosts on inside to an outside IP address.

ASA running 8.0 (4)

Thanks again,



Well I guess you could do so that you NAT your whole local network to some other network so you wont have to do several single static NAT translations on the ASA just for this L2L VPN connection

You didn't mention anything about network masks so I'll use /24 which is pretty basic

So some base information for the configration:

Local network:

Local network (NAT):

Local LAN interface name: inside

Local OUTSIDE interface name: outside

Remote network: ?

Static Policy NAT that is applied only when your connecting to the remote network of (Or they connecting to your networks NATted IP addresses)

access-list L2L-VPN-POLICY-NAT remark L2L VPN Local Network NAT

access-list L2L-VPN-POLICY-NAT permit ip

static (inside,outside) access-list L2L-VPN-POLICY-NAT

access-list L2L-VPN-ENCRYPTION-DOMAIN remark L2L VPN Encryption Domain ACL

access-list L2L-VPN-ENCRYPTION-DOMAIN permit ip

To  my understanding the above configuration should apply a NAT for every IP address of the /24 network to the NAT network of when youre connecting from your local network to the remote network.

Though I'm abit wary of the Policy NAT statement where the actual source and destination network are the same. I did try it on my own ASA (though running newer 8.4 software with new NAT format) and it seemed to work.

What I'm also wondering that is it really possible that both of your networks have subnet? Or did you just mean that theyre local network overlaps

Would you be actually connecting to a host address of 10.250.11.x through the L2L VPN? I

- Jouni


The NAT doesnt necesarily have to be a Static NAT like I just showed above. But that depends on which party is initiating the connections through the L2L VPN.

If its just you connecting to remote hosts for services then you could simply do a Policy PAT translation towards the L2L VPN tunnel.

Then again if the remote end needs to connect to some services on your end, PAT is out of the question.

Atleast with the static translation you will guarantee connectivity between all the host.

One thing you should also consider is how you control traffic coming from the L2L VPN.

This depends much on the fact how you have set the "sysopt connection permit-vpn" setting. Having it on lets all traffic bypass outside access-list. Disabling it will mean you will have to permit the traffic coming from the L2L VPN tunnel in the outside interface access-list.

If you have the "sysopt connection permit-vpn" setting on. The only way to control traffic is to apply a VPN filter ACL to the L2L VPN connection

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers