Unanswered Question
Jul 5th, 2007
User Badges:


We enable the VPN and NAT on the same route. we would like following:

1. can NAT to outside internet (using x.x.x.x overload)

2. can access to TW office via VPN

detail please refer the config file. The VPN is working if we use extend ping

we find that always goes to Gi 0/0 if we access network. Anything missing in my config? please advise.

Best regards




crypto map mymap 101 ipsec-isakmp

description VPN to TW office

set peer 201.x.x.x

set transform-set myset

match address 101


interface GigabitEthernet0/0

ip nat outside

crypto map mymap


interface GigabitEthernet0/2

ip address

ip nat inside


ip nat pool NAT x.x.x.x x.x.x.x netmask

ip nat inside source route-map nonat pool NAT overload

access-list 100 deny ip

access-list 100 permit ip any

access-list 101 permit ip

route-map nonat permit 10

match ip address 100

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Amit Singh Thu, 07/05/2007 - 22:20
User Badges:
  • Cisco Employee,

This is abosultely fine. You have only one link and you are setting up VPN over the internet to TW office. Any traffic which will leave for the internet or VPN will always for Via Gig 0/0 as that is the your outside facing link.

If you have any other link on the router then you can use PBR to have internet traffic go via one link and the VPN traffic go via another link.

HTH,Please rate if it does.

-amit singh

leungcm Fri, 07/06/2007 - 06:53
User Badges:

Hi, there is one Internet link (gi ethernet)

We would like:

A. --> --> gi ether ----> VPN

B. --> ---> gi eth -----> internet

currently, "A" is not working, It seems that it goes "B" no matter what destionation IP address.

any advise?

Amit Singh Fri, 07/06/2007 - 07:07
User Badges:
  • Cisco Employee,

What I can get from the above post is that you are able to go to the internet but unable to connect to the TW office, is that correct?

If yes, What does the output " show crypto isakmp sa " tells you on routers both your end and TW end. It seems that your VPN is not working to the TW site. Please paste the output of " Show crypto map " as well.


-amit singh

leungcm Fri, 07/06/2007 - 08:18
User Badges:


Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

140 x.x.x.x y.y.y.y ACTIVE des md5 psk 1 23:48:23

Connection-id:Engine-id = 140:1(software)


This Discussion