Cisco ipsec vpn with NAT'ed address

Posted on 2009-04-24
Last Modified: 2012-05-06
I have to create a site-to-site ipsec vpn with the local address nat'ed before going over the tunnel. Would this config work? Any advice greatly appreciated. Thanks.

access-list 120 remark ACL for VPN traffic
access-list 120 remark host 192.168.a.b NAT'ed to 12.a.b.c
access-list 120 permit icmp host 12.a.b.c host 192.168.v.w
access-list 120 permit tcp host 12.a.b.c host 192.168.v.w eq ftp

crypto isakmp key presharedkey address 135.l.m.n
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mycryptomap 20 ipsec-isakmp
set peer 135.l.m.n
set transform-set myset
match address 120
reverse-route static

access-list 121 remark ACL for mymap route map
access-list 121 permit ip host 192.168.a.b host 192.168.v.w

route-map myroutemap permit 10
      match ip address 121

ip nat inside source static 192.168.a.b 12.a.b.c route-map myroutemap

Int fa0/0
      ip add 12.a.b.g
      ip nat outside
Int f0/1
      ip add 192.168.a.g
       ip nat inside
      crypto-map mycryptomap

the vpn device on my side is a 2801 router with  Version 12.3(14)T2
the host most only be NAT'ed for traffic to that single remote host. No NAT for VPN traffic to other networks.
Question by:cavacamite

    Author Comment

    Sorry... the vpn device on my side is a 2801 router with  Version 12.3(14)T2. Thanks.
    LVL 5

    Expert Comment


    snippet from

    IPsec NAT TransparencyThe IPsec NAT Transparency feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Point Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPsec. NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router that runs Cisco IOS Software Release 12.2(13)T and later. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.


    Author Comment

    Thanks for the link.
    What I'm trying to verify is if the route map config will work so that the NAT'ed address forms the tunnel for traffic only to that remote host and not NAT traffic for other VPN connections.

    Accepted Solution

    Update: I've verified using the route map to NAT specific trap works and the VPN comes up ok.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now