Site-to-site VPN issue: Passing public IP through IPSEC

Answered Question
Mar 21st, 2007

Hi all,

I need to create a site-to-site VPN tunnel using IPSEC established over the Internet between two offices. The offices belong to two different companies.

I was given a range of 16 public IP addresses. One of these IPs is used on the ISPs router and it is the next-hop for my router. Another IP from the range is used on my router?s external interface ( which is a Cisco 851) and it is also my site's VPN endpoint. So far so good...

Here is my problem: The source IP for the encrypted traffic, is a public address from within the 16 public IPs I have (not the one on my router's interface). The actual application that needs to send the encrypted data is a server in my LAN, and it has a private IP. The other site, expects to receive the encrypted data however, from the public IP. I used NAT between the private IP address of the server and its public IP, but no data passes through the tunnel. By the way, the tunnel between the two end points establishes with no problem. The problem is that the source of my encrypted data is the public IP and I do not know how to route it through the tunnel. I am attaching the configuration of my router.

Any help is appreciated.

I have this problem too.
0 votes
Correct Answer by kaachary about 9 years 7 months ago

The access-list "natted-traffic" should say :

ip access-list extended natted-traffic

deny ip host host BB.BB.BB.BD

deny ip host host BB.BB.BB.BE


Hope this helps.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Kamal Malhotra Wed, 03/21/2007 - 07:53


Please try to configure a static instead of port forwarding :

ip nat inside source static AA.AA.AA.AB


Please rate if it helps,



Correct Answer
kaachary Wed, 03/21/2007 - 07:59

The access-list "natted-traffic" should say :

ip access-list extended natted-traffic

deny ip host host BB.BB.BB.BD

deny ip host host BB.BB.BB.BE


Hope this helps.


kaachary Wed, 03/21/2007 - 09:13

That is what this will do !

You have to first deny it from patting, so that its statically natted.


cchristodoulou Wed, 03/21/2007 - 12:53

kmalhotr and kaachary,

Thank you for the response but unfortunately neither suggestion solved my problem. I have run the VPN TEST through the SDM and it showed the NAT test as successful, along with everything else, except the peer connectivity. As I said before the VPN tunnel is established but cannot pass traffic through it. SDM also reported the following:


Failure Reason(s): The following source(s) are routed through the crypto map interface. 1) AA.AA.AA.AB

Recommended Action(s): Go to 'Configure->Routing' and correct the routing table


If I understand this correctly, I need to tell the traffic originating from IP AA.AA.AA.AB to be forwarded through my VPN endpoint with IP AA.AA.AA.AA. How can I do this though, since IP AA.AA.AA.AB is not configured on any interface, it is in the same IP range as AA.AA.AA.AA and it is only used for staticNATing an internal private IP (

kaachary Wed, 03/21/2007 - 13:11

I don't think its the problem with the routing. Can you please post the output of "sh cry ipsec sa" and "sh ip nat trans" when you try to initiate some traffic.


cchristodoulou Thu, 03/22/2007 - 13:13


It turns out you were right! I made the changes remotely last night and then tried to test my tunnel through the SDM. SDM gave an error. I kept the changes however and today I tried the tunnel by starting my actual application... it worked like a charm.

My access-list now look like below:

ip access-list extended natted-traffic

deny ip host AA.AA.AA.AB host BB.BB.BB.BD

deny ip host AA.AA.AA.AB host BB.BB.BB.BE

deny ip host BB.BB.BB.BD

deny ip host BB.BB.BB.BE

permit ip any

ip access-list extended vpn-control-list

permit ip host AA.AA.AA.AB host BB.BB.BB.BD

permit ip host AA.AA.AA.AB host BB.BB.BB.BE

permit ip host host BB.BB.BB.BD


Probably I can remove a couple of lines out of there, something to try tomorrow!

Thank you for the help.


This Discussion