nat before vpn tunnel use case question

L0 Member

nat before vpn tunnel use case question

Hello I am looking to understand if what I am trying to accomplish will work. Given a PAN connecting to an ASA using a L2L IPSec VPN Tunnel to access two distinct ip addresses behind the ASA. Now these IP Addresses are duplicated on the LAN the PAN connects, essentially overlapping. I know what to do in an ASA. But for the Pan I want my logic checked. The goal here is two use two ip addresses on the PAN Side that doesnt overlap so users can access the devices behind the ASA. I would do a 1to1 NAT for each and I hope in theory that the order of operations (anyone ahve this?) would allow for NAT before the packets are placed in the tunnel. The tunnel I would build like any other, using host routes to the IPs behind the ASA. Am I correct in how I would envision this working? Are there any gotchas or caveats for this use case?


Thank you

Tags (2)

Accepted Solutions
Cyber Elite

All Replies
L4 Transporter

Never experienced this but I think source NAT will do the trick.

Cyber Elite

L7 Applicator

In case of overlapping IP addresses on both sites, and you only need to make a unidirectional connection (from you to the remote servers) you would set up source nat on your end, and destination nat on the remote end:


your sources would hide behind a subnet/IP not existing on the remote site so they can easily route back reply packets into the tunnel while the remote end would apply destination translation on your incoming packets to hit the desired 2 servers (if they ever need to perform maintenance or replace the servers this will also grant them direct control to change the destinations)


your clients would be connecting to fictitious destination IPs you can static route into the tunnel

if you have an internal DNS server you could give these IP addresses a friendly hostname

Tom Piens -
Like my answer? check out my book!
L0 Member

Thank you all for your replies and this like was exactly what I needed!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!