Cisco ASA Policy Based Static Source NAT

Setting up VPN Connectivity between multiple locations is a pretty common task these days. It is a very simple and straight forward setup unless NAT comes into the play, there are multiple offices with overlapping subnets etc. Usually in that scenario solution is simple both sides will perform NAT and present their internal network as something else to the other location in the VPN Tunnel.

I had a unique situation. I was working on a firewall with multiple VPN’s and they pretty much all had a standard setup. There were couple of VPN’s that needed to be setup with a non standard setup because of the overlap in their network. This was the scenario:

  • Subnets on both sites were same i.e;
  • Site A had Cisco ASA and Site B had Cisco IOS Router
  • Site B was performing a NAT overload and presenting their internal subnet as another IP via the IPSec Tunnel
  • Site B needed to communicate with couple of hosts located at Site A ( and
  • Since network was also being utilized at Site B, hosts at Site B couldn’t see those two hosts at Site A
  • What we needed was a to perform a static policy based source NAT on Cisco ASA so that hosts from Site B, instead of sending traffic to and, they send traffic to other IP’s such as and
  • Next issue was since there were multiple VPN’s on Cisco ASA and other remote sites were accessing those and hosts, I needed to setup NAT on my end in a way that it will only apply to this one site and not affect other VPN’s
  • Take a look at the picture below to get an idea and after that I will elaborate a bit more how I accomplished it

I’m not going to go deep into setting up the whole VPN on both ends because that is not the topic here. Basically on the Cisco Router at Site BNAT Overload was utilized for the IPSec VPN and the whole internal network was being NATed as to the Cisco ASA at Site A. Now for the interesting traffic on both ends instead of and ( and was used.

Here are the Cisco ASA steps that I used to perform Policy Based Static Source NAT:

access-list POLICYNAT1 extended permit ip host host
access-list POLICYNAT2 extended permit ip host host
static (inside,outside) access-list POLICYNAT1
static (inside,outside) access-list POLICYNAT2

Don’t forget the crypto map on the Cisco ASA used the reverse of was setup on the Cisco IOS Router at Site B i.e; to and to So this basically allowed and to be translated into and every time source was or and destination was (ONLY). Similarly when the hosts from Site B communicated with or Cisco ASA translated those IP’s to and and then back to and Hope this will help out some one else out there 🙂

Note: This example is for pre 8.3 code. Please keep in mind that this is a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WordPress SEO