• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2114
  • Last Modified:

Cisco ipsec vpn with NAT'ed address

I have to create a site-to-site ipsec vpn with the local address nat'ed before going over the tunnel. Would this config work? Any advice greatly appreciated. Thanks.

access-list 120 remark ACL for VPN traffic
access-list 120 remark host 192.168.a.b NAT'ed to 12.a.b.c
access-list 120 permit icmp host 12.a.b.c host 192.168.v.w
access-list 120 permit tcp host 12.a.b.c host 192.168.v.w eq ftp

crypto isakmp key presharedkey address 135.l.m.n
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mycryptomap 20 ipsec-isakmp
set peer 135.l.m.n
set transform-set myset
match address 120
reverse-route static

access-list 121 remark ACL for mymap route map
access-list 121 permit ip host 192.168.a.b host 192.168.v.w

route-map myroutemap permit 10
      match ip address 121

ip nat inside source static 192.168.a.b 12.a.b.c route-map myroutemap

Int fa0/0
      ip add 12.a.b.g
      ip nat outside
Int f0/1
      ip add 192.168.a.g
       ip nat inside
      crypto-map mycryptomap

the vpn device on my side is a 2801 router with  Version 12.3(14)T2
the host most only be NAT'ed for traffic to that single remote host. No NAT for VPN traffic to other networks.
  • 3
1 Solution
cavacamiteAuthor Commented:
Sorry... the vpn device on my side is a 2801 router with  Version 12.3(14)T2. Thanks.

snippet from


IPsec NAT TransparencyThe IPsec NAT Transparency feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Point Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPsec. NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router that runs Cisco IOS Software Release 12.2(13)T and later. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.

cavacamiteAuthor Commented:
Thanks for the link.
What I'm trying to verify is if the route map config will work so that the NAT'ed address forms the tunnel for traffic only to that remote host and not NAT traffic for other VPN connections.
cavacamiteAuthor Commented:
Update: I've verified using the route map to NAT specific trap works and the VPN comes up ok.

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now