Showing results for 
Search instead for 
Did you mean: 

Adding a NAT for remote host on VPN


We are trying to bring up a L2L VPN to a vendor.  The vendor's IP addresses overlap with one of our internal subnets.  The vendor claims that they cannot apply a NAT on their side.  Is there a way to configure NAT on my side to NAT the remote host?  I tried creating a static entry

static (inside,outside) globalIP localIP subnet

The NAT seems to work, at least according to the xlate table, but I cannot bring up the tunnel.

1) will this actually work?

2) how should I define "interesting" traffic?  Using the remote NAT or the remote real IP?

Thank you.




Hi Jason,

this is the packet flow in ASA:

PIX/ASA - VPN - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found
create a
new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. VPN - [encrypt] -
9. VPN - [ipsec-tunnel-flow] -
10. IP-OPTIONS - [] -
11. FLOW-CREATION - [] - If everything passes up until this point a
is created.
12. FLOW-LOOKUP - [] - On the new header
13. ACCESS-LIST - [] - On the new header
14. FLOW-CREATION - [] -
15. ROUTE-LOOKUP - [output and adjacency]

Since route lookup is done before NAT, you have to change the ip address scheme at your end or ask them to nat.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: