Showing results for 
Search instead for 
Did you mean: 

S2S VPN with public IP address as source address

We have a vendor that we need to create a S2S VPN with and they are only allowing public IP addresses for the source address.  I assume this is because they don't want to deal with the potential overlap of private IP addresses from all of their clients.  I never have encounter this before, so I am not sure how to proceed and what public IP address to use. 

Should I create a static one to one nat for the device that needs to go across the VPN to an available public IP address? 

Should I use the global pat address that users are seen on the internet as?

I inherited this network from a previous engineer and there are two S2S VPN's on the ASA 5520 that have the global pat address as the source address.  My concern with this is that all internal traffic will be able to go across the S2S VPN.

TIA for any advice.


Rising star

Hi Dan,

You can do this with policy-static nat.

What version of ASA you are running?

We are running 8.6(1)1 on ASA 5525-X's

If you have additional public IP address available on your internet pipe, you can create a policy static-nat to available

public-ip on your pipe (circuit), otherwise you can still use your existing public IP on your outside interface to policy-static nat.

Your tunnel end-points and the interesting traffic for vpn-tunnel will be your public address and remote public address.

I attached for you, Cisco documenation for creating poilicy static-nat, however it is for old version of ASA, however concept is remain the same, you need substitute version-7 static-nat to 8.6 version.

Hope that helps.


Can I use the global pat IP address?  They aren't using the interface IP address for that address.

"Can I use the global pat IP address?" Sure you can.

"They aren't using the interface IP address for that address."

It is their luxury or availablity as long as the given public IP is being routed to their circuit is do matters.


Hi Dan,

Check this documantion on page 20, it shows how to create static-policy nat.


When interesting traffic for VPN tunnel become public IP(es) there is no need for no-nat, normally otherwise you would need to no-nat.


Rizwan Rafeek

Content for Community-Ad