Cisco ASA IPSEC VPN Tunnel (with NAT!)

I’ve been asked about this a number of times on the job. You have to create a VPN tunnel between two ASA devices – using the command line. There’s also a twist – the IP address of your destination device(s) is already in use by someone else they’ve peered with, so you’ll need to NAT your device’s IP address(es) when speaking to the remote end.

Take this diagram:

Let’s make a few assumptions, then onto the configuration:

  • We’re routing between two hosts on the remote end and one on the local end
  • You’ll be using NAT to present your local host ( as
  • Your remote peer is
  • Phase 1: ISAKMP, AES-256 Encryption, SHA1 hashing, Group 5, Lifetime=86400
  • Phase 2: ESP Encapsulation, AES256 Encryption, SHA hashing

My config (with explanations):

Group our remote addresses together:
object-group network REMOTE_VPN_IPs

This ACL is used to NAT traffic below:
access-list REMOTE_VPN_REWRITE extended permit ip host object-group REMOTE_VPN_IPs

This ACL matches traffic for our VPN tunnel - notice the rewritten address:
access-list outside_5_cryptomap extended permit ip host object-group REMOTE_VPN_IPs

This Static NAT statement re-writes traffic to the new address:
static (inside,outside) access-list REMOTE_VPN_REWRITE

We need a transform set for our next statements:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

We're creating a unique crypto map (in our router, this is the fifth VPN tunnel):
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs group5
crypto map outside_map 5 set peer
crypto map outside_map 5 set transform-set ESP-AES-256-SHA

We need to create an ISAKMP policy allowing Phase 1 traffic:
crypto isakmp policy 110
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

And our tunnel-group:
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key Pr3$h@ReDK33

Hope this helps someone!