Cisco ASA 8.3+ NAT within a site to site VPN tunnel

I’ve written a post on how to setup a Cisco ASA site to site VPN tunnel here on pre 8.3 firmware. Now I’m going to write about how to make a VPN tunnel on post 8.3 firmware with emphasis on performing NAT within a site to site VPN tunnel.

Often times when establishing a VPN relationship with a 3rd party, we may bump into cases of overlapping internal network subnets. The best practice is for both parties to NAT the traffic to a public IP address for the traffic that is destined for the VPN tunnel. Of course, you should be the owner of the public IP.

Like implementing NAT for internet traffic, you must determine if you are the initiating party or the receiving party, as this determines which type of NAT you are going to use – NAT overload or static NAT.

1. First off lets setup the tunnel. First define the phase 1 IKE parameters used in the ISAKMP policy.

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

2. Then define the tunnel group, where x.x.x.x is peer ip address. The pre-shared key is also defined here.

tunnel-group x.x.x.x ipsec-attributes
pre-shared-key mysecretkey

Enable isakmp on the your outside interface if you haven’t already

crypto ikev1 enable Outside

3. Now define the phase 2 IPSEC transform. I’ve giving the name of the transform set ESP-AES-256-SHA as it uses AES-256 and SHA-1.

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

4. Define the crypto acl that will be used for the VPN traffic. Pay close attention to the SOURCE and DESTINATION used here. You want to use the POST NAT IP address for the hosts used. This would be the SOURCE and DESTINATION public ip addresses in the tunnel

access-list CRYPTOACL extended permit ip host NATTED_SOURCE_IP host NATTED_DESTINATION_IP

5. Next setup the crypto map and apply it to the outside interface

crypto map OUTSIDE_map 50 match address CRYPTOACL
crypto map OUTSIDE_map 50 set peer x.x.x.x 
crypto map OUTSIDE_map 50 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map interface OUTSIDE

6. Wait, we’re not done yet. Here comes the important part. We need to setup the NAT statements.
If you are hosting a server that is the receiving end of the vpn traffic, you will need to use a static nat. This statement can also be used at the initiating end if you only have one host that needs to reach the other end.


If you are initiating the tunnel traffic, and have multiple clients you will want to use a NAT overload statement. Use a object group to define your source NAT traffic

object network INSIDE_VPN_PAT
 subnet PRENAT_IP

That’s it. Make sure you test your VPN tunnel. If you are having troubles, make sure you check out my post on troubleshooting ipsec vpn tunnels here. Or if you need to implement an VPN access-list check out my post on implementing VPN filters.

If you are looking for an method of doing NAT on your VPN tunnel pre 8.3 please refer to my old post here:

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV