Showing results for 
Search instead for 
Did you mean: 

Nat internal IPs with a logical IP

Anukalp S


I have a query on natting on 8.4 ASA. We are going to configure IPsec tunnel with our client. Our client has provided a single ip( which would be the source at his end. Is it possible to Nat my end network( with logical ip ( which is not configured anywhere.

here are details.

my end internal network(inside) : (

logical ip to be natted my internal ip:  (

Client end network : (

If yes, pls share command also.

1 Accepted Solution

Accepted Solutions


I'm not quite sure what you mean here...

If you specifically want your LAN to show to the client network with a single IP address of then you naturally would NOT do NAT0 as the NAT0 / NAT Exempt does no NAT for your LAN addresses. Wasnt the purpose to PAT all your LAN traffic to this single IP address of before it goes to the REMOTE-LAN?

If you do PAT translation only towards the Client then you dont need to open anything from the Client towards your PAT IP as its a shared IP address for many LAN hosts. You cant really open anything towards PAT IP address.

Naturally you will need to make sure to allow any traffic you need in your "inside" interface ACL to the REMOTE-LAN unless that traffic is already allowed.

- Jouni

View solution in original post

5 Replies 5

Jouni Forss


You can do a Dynamic PAT towards the remote network through the L2L VPN

The configuration would be something like this

object network REMOTE-LAN


object network LOCAL-LAN


object network L2L-VPN-PAT


nat (inside,outside) source dynamic LOCAL-LAN L2L-VPN-PAT destination static REMOTE-LAN REMOTE-LAN


  • REMOTE-LAN = Is the object that defines the remote network for the NAT statement
  • LOCAL-LAN = Is the object that defines the local network for the NAT statement
  • L2L-VPN-PAT-IP = Is the object that defines the NAT/PAT address that will be visible to the remote network
  • nat = is the NAT statement that does the translation
    • Translation is done between "inside" and "outside" interface (if you have different names, apply those names to the configuration)
    • The NAT configuration translates the whole LAN network to a single PAT address while they try to connect the network under the object REMOTE-LAN

Notice that if you do this NAT configuration then your L2L VPN ACL that defines the traffic will only include the L2L-VPN-PAT object IP address as your source address for the L2L VPN connection

Hopefully the above information has been helpfull Please rate if so.

Naturally ask more if something was unclear

- Jouni

Thanks Jouni..

Do we need to perform No NAT there? Also would there access-list be needed to permit for this PAT ip(