Showing results for 
Search instead for 
Did you mean: 

no nat and pat statements

Level 1
Level 1

Hi, I have the following question:

I have an asa 5520, and currently the box is pimarily setup for vpn remote access scenario. The IP adresses for the remote clients are lets say in the range , assigned by Radius.

I currently have a no nat configuration, because I don?t need nat so far.

Now I would like to setup multiple vpn site to site connections on the same box, and I would like to hide each vpn tunnel "customer" behind a single IP, so in my understanding I would like to make PAT.

The "customerA" should hide behind, CustomerB behind usw.

In my understanding I need a nat 0 statement for no nat?ing the remote vpn users, and a nat 1 entry for nat ?ing the vpn tunnel customer, and hide them.

Could anyone please give me some help and an example with this nat/pat issue.

Thank you very much.

6 Replies 6

Level 1
Level 1

any little hint is welcome. !


Jon Marshall
Hall of Fame
Hall of Fame


1) Do you want to hide all customer source IP addresses behind 1 IP address when traffic comes from the customer to you


2) Do you want to present the customer network as 1 IP address to your internal clients.

Also is there any reason you have taken IP addresses in your example from the same range as your client VPN's ?


Hi Jon,

thanks for the answer.

I would like to to present each customer network behind one IP address for the internal clients.

Yes. Vpn clients should be in the first half of the /25 mask, site2 site beginninng with .129.

I have only one C class availible, so I thought it might make sense to split.


Okay, that might be a problem. if you wanted to translate all customer source IP addresses to one of your 192.168.1.x/25 addresses then this would be relatively easy.

But it sounds from your answer that you want to present the customer network to your VPN clients as one IP address. This assumes that the connection will be intiated FROM your VPN clients.

And this is the problem. Lets say for arguments sake that one of your customer networks is Additionally, within that network your vpn clients want to intiate connections to,11,20 & 50.

Now you present the whole network as A vpn client wants to talk to and so it sends a packet to How does the firewall know which 172.16.5.x address the vpn client wants to talk to.

The answer is it doesn't. For each of the 172.16.5.x hosts within the customer network you would need to use a 192.168.1.x address to present it to your internal vpn clients.

Note that if the connections are always initiated from the customer network then you can hide all their IP addresses being one of your 192.168.1.x addresses.

Hope i have understood correctly.


Let me try again to describe my problem:

I have vpn clients that will be assigned an IP address from the pool, and they should be able to access my cooperate network without any nat translation. So I assume I need a nat0 statement.

Then I have site2site customers connected to my cooperate network, and I would like to hide each seperate customer behind a seperate ip address, from the pool

I my understanding I need a pat statement, that means an additional nat 1 entry.

Now I get confused with this two nat entries nat0 and nat1 , and I could not figure out how to do this.

The vpn clients usually will not talk to the customer sit to site vpn.

I have the net A that should not be translated, and I have ip addresses from pool B, that should hide customer networks, so that the source ip gets behind a nated ip.

Thanks for your support so far Jon.


If you want to hide source IP address of customer networks.

Lets say customer network is and it arrives on the outside interface. Customer IP addresses should be hidden behind

nat (outside) 2 outside

global (inside) 2

This will change the source IP addresses of 172.16.5.x to appear to be from This will only work if the traffic is initiated from the customer site.

I hope this makes sense