Howto NAT VPN Traffic on a Cisco ASA

I couldn’t find any clear information on the Internet about this, so I thought I would outline it here. Say you have to setup a Site-to-Site VPN to a third party who can’t accept traffic from the subnet you have created on your internal network because your network overlaps with theirs, or as in my case, they just want one address coming over to their network. The answer is to NAT that VPN traffic using a non-overlapping IP address.

Let’s say we have the following parameters:

Your Network:
Their Network:
Host you need access to on the other side:

Simplistic example but you get the idea. You need to access the host address above to run a certain application. The 3rd party also provides you with the address they want you to use for your NAT.

IP Address Provided by 3rd Party:

OK so you know you have to make all of your traffic look like it is coming from to make this VPN work, but the question is how. This is where I got stuck. There are very few articles on the web that deal with this situation and I had to end up piecing the eventual answer together from several different articles. But here you go:

First, create an access-list that will allow your traffic coming from your network to access the host on the 3rd party network

Next, create an access-list that will allow the NAT address to access the host on the 3rd party network

Now create a NAT statement that flags traffic coming from your network heading to the 3rd party host

Next create a GLOBAL statement that NATs the traffic flagged as interesting in the above statement into the address provided by the 3rd pary

Finally create a crypto map statement in your VPN configuration that flags the necessary traffic as interesting so the VPN knows when to start

After performing the above steps, if you ping the address, you should be able to see your VPN start up and after a brief delay you should get replies.