Showing results for 
Search instead for 
Did you mean: 

Issue with NAT via VPN (ASA 5505)

Nick Harper

I have setup a standard remote VPN so a user can remotely connect to the Firewall and have configured a NAT rule so that they have internet access using a WAN IP on the Firewall.

I'm now trying to make it so that when connected to the VPN they can access sites hosted on servers that are also behind the firewall.

For example resolves to which is also behind the firewall and their "public" IP is

I've tried adding a rule to say if the source address is with destination to just NAT it to which is the internal IP but this doesn't seem to work.

Is it possible to just make it so if they are connected to the VPN it just NATs it so they have the same access as if they were public?


Mohammad Alhyari
Cisco Employee
Cisco Employee

You can do that but ensure that the NAT rule is before the exemption rule. here is two ways to do it:

nat(inside,outside) 1 source static server-private server-public destination static anyconnect-pool anyconnect-pool

or nat(outside,inside) 1 source static anyconnect-pool anyconnect-pool destination static server-public server-private 

this should untranslate packets coming from the anyconnect from the public address to the private address. 


Thanks Moh.

Doing that I get:

Addresses overlap with existing localpool range
ERROR: NAT Policy is not downloaded

This is the NAT I have already to allow outgoing internet so I assume it is that.

nat (any,any) source dynamic VPN WAN-6 dns

VPN is the VPN pool.

Can you change this 

nat (any,any) source dynamic VPN WAN-6 dns


nat (outside,outside) source dynamic VPN WAN-6 dns

Thanks, I changed that so it is now:

nat (outside,outside) source dynamic VPN WAN-6 dns

Then if I run this:

nat (inside,outside) 1 source static WAN-2 LAN-2 destination static VPN VPN

I still get the NAT Policy is not downloaded, Addresses overlap with existing localpool range.

Please paste the entire NAT config here:)

Nick Harper