Cisco ASA 5510 Site to site VPN tunnel but remote site has same network - need to NAT

Posted on 2011-05-13
Last Modified: 2012-05-11
Hi everyone,

So here's the scenario - both sites are using Cisco ASA 5510 - I've got the tunnel up but need to know how to configure a solution for this issue:

- Remote site needs access to monitor equipment on our network however remote site has an internal network using the exact same address space

- Remote site would like us to NAT to network so that any requests made to my 172 network would come back to that 10 network

- Asked our support people how this could be done (preferably in GUI as I'm not very strong in CLI on ASA) here's what they came back with.

access-list RemoteSite-NAT extended permit ip
static (inside,outside) access-list RemoteSite-NAT
access-list RemoteSite-VPN extended permit ip

Open in new window

Does this look like a proper solution? If the remote side is trying to ping a device on my 172 network what would he use to ping - OR Do I need to make any changes to my switches to allow this traffic through? (I wouldn't think so as the ASA should be doing all the translation but...)

Thanks in advance!
Question by:ITGeneral
    LVL 12

    Expert Comment

    I don't think it is proper solution.

    Here is example of the config just like the one you need:

    Substitute IP addresses with yours and that should be it.

    LVL 12

    Accepted Solution

    Sorry, I overlooked that you are using VPN, so you need static policy NAT, so configuration from your support people is correct.
    My apologies!

    Answer to your other question is, as he sees you by that IP in his network. Above sequence of commands says this:
    When you are trying to reach network from your network, translate address to (translation is one-to-one).

    You don't need to change anything on switches, only if you have router behind ASA you will need to put static route:
    ip route <IP of ASA's inside interface>

    Once again my apologies for previous incorrect answer!


    Author Closing Comment

    Thanks Fidelius, no worries about first comment as I didn't get around to looking at this until Monday morning anyway.

    Haven't been able to fully test this new setup yet as we've been having issues with the tunnel itself for one reason or another. So once we get that ironed out I'll post back here if there's any issues but I agree that this should work just fine.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now