• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2142
  • Last Modified:

Cisco ipsec vpn with NAT'ed address

I have to create a site-to-site ipsec vpn with the local address nat'ed before going over the tunnel. Would this config work? Any advice greatly appreciated. Thanks.

access-list 120 remark ACL for VPN traffic
access-list 120 remark host 192.168.a.b NAT'ed to 12.a.b.c
access-list 120 permit icmp host 12.a.b.c host 192.168.v.w
access-list 120 permit tcp host 12.a.b.c host 192.168.v.w eq ftp

crypto isakmp key presharedkey address 135.l.m.n
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mycryptomap 20 ipsec-isakmp
set peer 135.l.m.n
set transform-set myset
match address 120
reverse-route static

access-list 121 remark ACL for mymap route map
access-list 121 permit ip host 192.168.a.b host 192.168.v.w

route-map myroutemap permit 10
      match ip address 121

ip nat inside source static 192.168.a.b 12.a.b.c route-map myroutemap

Int fa0/0
      ip add 12.a.b.g
      ip nat outside
Int f0/1
      ip add 192.168.a.g
       ip nat inside
      crypto-map mycryptomap

the vpn device on my side is a 2801 router with  Version 12.3(14)T2
the host most only be NAT'ed for traffic to that single remote host. No NAT for VPN traffic to other networks.
  • 3
1 Solution
cavacamiteAuthor Commented:
Sorry... the vpn device on my side is a 2801 router with  Version 12.3(14)T2. Thanks.

snippet from


IPsec NAT TransparencyThe IPsec NAT Transparency feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Point Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPsec. NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router that runs Cisco IOS Software Release 12.2(13)T and later. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.

cavacamiteAuthor Commented:
Thanks for the link.
What I'm trying to verify is if the route map config will work so that the NAT'ed address forms the tunnel for traffic only to that remote host and not NAT traffic for other VPN connections.
cavacamiteAuthor Commented:
Update: I've verified using the route map to NAT specific trap works and the VPN comes up ok.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now