Showing results for 
Search instead for 
Did you mean: 

Can Easy VPN Clients Be NAT'ed to Access Subnets Behind Easy VPN Server?

I have some VPN clients that need to access a device on an internal subnet that is not directly connected to the 1801 router acting as the Easy VPN Server.  The router has an internal IP address of  The VPN clients are being assigned addresses from the subnet.  The device has an IP of and it is behind a gateway that has an IP of

I cannot modify the routing table of the gateway that has the IP of so that it knows to route traffic to because it is not under my control.

Is it possible for me to NAT the VPN client traffic behind the VLAN 1 interface so the device sees the VPN client traffic coming from and knows how to get to that?

I know that assigning the VPN clients IP address from the subnet would work but that subnet is not under my control and that might cause some conflicts.

Thanks for any help you can give.

Cisco Employee


You should be able to do that. You basically have to overload the PVN client pool to the inside ip address of Assuming the interface the VPN clients connect to is fa0/0 and the interface fa0/1 has ip address of Also, i am guessing you already have ip nat inside on fa0/1 and ip nat outside on fa0/0.

So you will need the following:

ip access-list extended VPN

permit ip host

ip nat outside source list VPN interface fa0/1 overload.

Hope this helps. Let me know how it goes!

Thanks and Regards,



Thank you for your response.  Basically, all of your assumptions are correct.  The external interface is FastEthernet0 and the internal interface is VLAN1.  I'm not able to type that command on the 1801 router.  I'm only able to type the following:

          ip nat outside source list VPN pool Test

I'm not even given the opiton to use the "interface" option:

          cisco-1801(config)#ip nat outside source list VPN ?
             pool  Name pool of local addresses


I tried using the following to make it work but it didn't work:

          ip nat pool Test netmask
          ip nat outside source list 108 pool Test

Do you have any other ideas or see anything I'm missing?

Thanks again.

Hi Alex,

I would have thought of the same thing. Is it working with that config?

Thanks and Regatrds,


No.  It's not working with that config.

What does your "show access-list 108" look like? Try adding the "overload" keyword at the end and see if it helps.

ip nat outside source list 108 pool Test overload

Also, the below link seems to suggest an add-route keyword at the end of the above command which is necessary for this to work:



Recognize Your Peers
Content for Community-Ad