8904 questions

10557 answers


15945 members

0 votes
2,120 views 6 comments


we need to configure an IPSec VPN between our network and a RUT955.

We need to use SNAT because of the remote gateway(RUT955) must have IP Address and corresponding subnet must be

We configure SNAT as below but we can’t reach remote hosts on subnet. We can’t understand which IP we have to insert in ‘SNAT IP address’ field

Please, could you help us to fix this issues?

Many thanks


3 Answers

0 votes


Could you draw and share simply topology scheme with IP address of your solution?

Also, could you elaborate on "we can't reach remote host on"? From what device you are trying to reach ""?


 "we can't reach remote host on"? :  we tried to ping remote host ( but it doesn't response .

how can we configurate SNAT?




Thank you for the topology scheme.

Are you certain that you indeed to you SNAT in this particular solution? (i.e. maybe you have used any other device in same solution before and SNAT was the way you have achieved the connectivity?)

If answer to above question is "No", then you should be able to accomplish everything just with "Static routes". I.e.:

 - on your Cisco ASA 5515 you would have to configure static route, so that "" would be reachable via your RUT955 router (via IPsec), and

 - on your RUT955 you would have to specify that is reachable via this IPsec tunnel. That can be done from "Network -> VPN -> IPsec" menu's "Remote IP address/Subnet mask" field, by entering"" value.

That should be enough so that your and network could communicate with each other. (If configuring static routes would not be enough, then more in-depth debugging is necessary to determine why devices cannot communicate with each other. You could start to do that by launching wire shark/tcp dump logs on both routers and investigate where individual packets go from each router.)

0 votes

Which subnet do you advertise to the ASA via IPsec?
I'm not sure i understand good

the subnet we want to make reachable to asa is as in draw.
Ok cool.  Do you have IPSec tunnel "up" between RUT and ASA? If yes, what is the local IP address of RUT (the local subnet you advertise to ASA so it can reach it via IPSec)?
Yes i have the tunnel up.

the local ip adress of RUT is subnet

I need more details, e.g RUT IP address and subnet mask, one of the servers IP address (for instance and subnet mask). 

0 votes


You have three devices:

Device 1: CISCO ASA 5515 (
Device 2: RUT955 (
Device 3: unknown device (

In order to ping from, you need to add:

  • an additional remote network on Device 1 (CISCO) IPsec config:
  • an additional local network on Device 2 (RUT955) IPsec config:

In order for to ping you need a route to from Login to the router's WebUI and go to the Network → Routing → Static Routes section and add a route to:

  • Table: MAIN
  • Destination:
  • Netmask:
  • Gateway: Device 3 IP address

Finally, you need to add a firewall rule to the FORWARD chain of Device 3 in order to be able to ping the network behind it. Unfortunately, I don't know how to configure firewall rules on Device 3 (CISCO?). But the basic idea is that you need to allow traffic on Device 3 FORWARD chain that is:

  • originating from
  • destined to

An iptables analogue would look like this:

iptables -I FORWARD -i eth1 -s -d -j ACCEPT

To reach from (RUT955), create an identical rule, but swap with