Showing results for 
Search instead for 
Did you mean: 

Source nat in tunnel mode site to site vpn


Hi all, 


Configure site to site between cisco asa and azure using route based vpn but now customer wants to source nat the subnet lie behind asa going for Azure end. I have checked but didnt found any document where i can source nat my traffic. Attaching my config here .


Cisco-ASA(config)#crypto ikev2 enable outside

Cisco-ASA(config)#crypto ikev2 policy 1
Cisco-ASA(config-ikev2-policy)#encryption aes-256
Cisco-ASA(config-ikev2-policy)#integrity sha
Cisco-ASA(config-ikev2-policy)#group 2
Cisco-ASA(config-ikev2-policy)#lifetime seconds 28800

Cisco-ASA(config)#crypto ipsec ikev2 ipsec-proposal SET1
Cisco-ASA(config-ipsec-proposal)#protocol esp encryption aes-256
Cisco-ASA(config-ipsec-proposal)#protocol esp integrity sha1
Cisco-ASA(config-ipsec-proposal) #crypto ipsec security-association lifetime seconds 3600

Cisco-ASA(config)#crypto ipsec profile PROFILE1
Cisco-ASA(config-ipsec-profile)#set ikev2 ipsec-proposal SET1
Cisco-ASA(config-ipsec-profile)#set security-association lifetime seconds 27000
Cisco-ASA(config-ipsec-profile)#set pfs group2

Cisco-ASA(config)#tunnel-group type ipsec-l2l
Cisco-ASA(config)#tunnel-group ipsec-attributes
Cisco-ASA(config-tunnel-ipsec)#ikev2 local-authentication pre-shared-key xxxxx
Cisco-ASA(config-tunnel-ipsec)#ikev2 remote-authentication pre-shared-key xxxxx

Cisco-ASA(config)#interface tunnel 100
Cisco-ASA(config)# no shut
Cisco-ASA(config-if)#nameif vti
Cisco-ASA(config-if)#ip address
Cisco-ASA(config-if)#tunnel source interface outside
Cisco-ASA(config-if)#tunnel destination
Cisco-ASA(config-if)#tunnel mode ipsec ipv4
Cisco-ASA(config-if)#tunnel protection ipsec profile PROFILE1

Cisco-ASA(config)#route vti 192.168.9.x

Basically i need to use below nat format but didnt know where to apply this in crypto rule

Cisco-ASA(config)#nat (inside,outside) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24.


Any can one help me here 

10 Replies 10


Hi @sv7,

If I understood this correctly, and assuming that you already have working VPN, you need to apply NAT to your tunnel interface, something like:

Cisco-ASA(config)#nat (inside,vti) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24



Hi Milos,


Thank you for reply. I know the command but need assistance as where i should call this source nat 

nat (inside,vti) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24. As here there's no crypto map command in my configuration as such where i can call this.

Hi @sv7,

VTI (tunnel interfaces) is part of route-based VPN, which is conceptually different from policy-based VPN (crypto maps). There is no crypto map involved and no need to invoke it anywhere. Tunnel interface is same interface as any other, and you only need to apply NAT statement, same like any other NAT statement on ASA (just take care of order of NAT rules, as, in general, you want your no-NAT rules to be on top of others).

Either way, NAT is not applied in crypto map, even with policy-based VPNs (there is a dependency between them, but not invoked anywhere specifically).



will the below nat statements works with my site to site route base vpn tunnel i posted.


nat (inside,vti) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24.

Hi @sv7,

Yes, this is the NAT statement I originally suggested.



I dont believe you can use a VTI in a nat statement, rather you need to use a named physical interface or 'any'. 

I don't know the reason why but I can confirm that to date you cannot use vti interfaces inside nat statements, as jamesmils suggested a workaround I've found which is working since many month now is to use twice nat with the keyword any, something like that;

nat (inside,any) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24

In short with this command you don't directly chose the destination interface, but specifing the destination network you get the same result.

Most probably this workaround doesn't cover all the possible nat cases, but should cover the most common, though. 


any help please


Hi All

I have same situation. my customer wanted me to NAT my internal subnet to Mapped IP he provided. I am using IPSec Policy base. can someone look config sample below for NAT & Crypto ACL and verify that if config is correct.

object-group network source-inside


object-group network Mapped_IP


object-group network remote-IP

network-object host x.x.x.x (waiting dest ip from customer)

nat(inside,outside) source static source_inside Mapped_IP destination static remote-IP  remote-IP


access-list outside_cryptomap_20 extended permit ip object-group Mapped_IP object-group remote-IP


Hi @suneel.waqas,

I believe you need to modify your NAT/PAT rule:

nat(inside,outside) source static dynamic source_inside Mapped_IP destination static remote-IP remote-IP

You are mapping multiple /22 and /24 subnets to a single /22 subnet, so you must use dynamic for this.

Also, please make sure that you are routing remote-IP towards outside, if this is where your crypto map is applied.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers