Showing results for 
Search instead for 
Did you mean: 


So I need any ideas on best way to achieve this, i can think of a few but don't know which will be best. here goes

I have a local network of and need to create a bidirectional IPSec tunnel to a client site, they want me to present to them a address over the IPSec, my thinking for ease is going to be to create the tunnel with the local and remote network above then create a dynamic NAT pool (many to many) that will translate any address to a address. is there any better way to do this ?

thanks in advance 


Eugene Khabarov
Rising star

If I understood your question correctly than my solution will be to create SVTI (ipsec virtual tunnel interface), configure it with "ip nat outside" and then translate to the nat pool It seems an easy task

so the issue is that i have to send the IP from site 1 to site 2 as over the ipsec. i have no access to site 2 or any of it's equipment (it is at a client) from what i know i could do it using SVTI but wouldnt the other site (site 2) need a address. the only thing they have set or can set is a  remote network of

Abaji Rawool

Here is example, which might help you but you need to make sure you have the matching subnet (for bidirectional - one to one mapping)

Configure the NAT.  Source address range of / 24 and destinations of remote subnet (example

access-list 101 permit ip

Create a route-map called 'static-nat' and match traffic to ACL 101:
route-map static-nat
  match ip address 101

Create a NAT-POOL for the public IP address (or range) you want to use to NAT to.  In this case, Im NAT'ing to

ip nat pool NAT-POOL netmask

Create a NAT rule to use the route-map 'static-nat'.  Upon a match to ACL 101, NAT that traffic to one of the NAT-POOL addresses:

ip nat inside source route-map static-nat pool NAT-POOL Overload

Once you have configured the NAT you need to modify the interesting traffic.  You need your 'interesting traffic' 

access-list 121 permit ip

Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map VPN 5 ipsec-isakmp
 set peer <peer ip>
 set transform-set <transform set>
 match address 121

Apply the crypto map to the public interface and NAT on the public side:

interface GigabitEthernet0/0
 ip nat outside
crypto map VPN

Configure the inside interface NAT on internal side:

interface GigabitEthernet0/1
 ip address
 ip nat inside



thanks for your reply when trying this on the ASA i get invalid input as below


ASA5510-02(config)# ip nat pool NAT-POOL netmask /24
ERROR: % Invalid input detected at '^' marker.

Can you please tell which ASA software version you are using, as NAT configuration have different syntax on version 8.3 and below versions.

it is 9.1.5

For doing one to one NAT, make sure your real subnet and NATTED subnet mask must be same..

You need to configure Manual NAT statement on your firewall.For example:

1. First create network objects, refer them in NAT statement.

Object network obj-


Object network obj-


Object network destination_network

subnet x.x.x.x x.x.x.x

nat(inside,outside) source static obj- obj- destination static destination_network destination_network

2. Now define the interesting traffic using the source as natted ip.

access-list new ext permit ip x.x.x.x x.x.x.x

3. Refer this access-list in crypto map configured for the peer.



Please do rate useful posts


I provided the configuration, assuming it is a IOS Router. For ASA you need to have policy based NAT.

You can refer this thread for similar example:




Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad