Site2Site VPN or NAT issue

Unanswered Question
Aug 1st, 2007

I have a site to site vpn from an 877 to an 1841. Everything works fine for the VPN but I am having problems with allowing access from the internet to internal servers on the LAN attached to the 1841.

If I add an ip nat inside statement for a service (for example RDP) the that service stops working over the VPN. It does work from the internet however.

Is this a NAT issue of some sort?

I've attached the bland config of the 1841 removing references to client specifics, and bits not relevant to this problem.

Thanks for any assistance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Thu, 08/02/2007 - 01:57

Yes you need to use a route-map with your NAT statements.

The route-map option can be used to translate only traffic going to the public network, and not translate traffic destined for the VPN.

Damian Halloran Thu, 08/02/2007 - 02:02

Is this what I need here:

Make sure that your device is configured to use the NAT Exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and Remote Access configurations.

Here, an IOS router is configured to exempt traffic that is sent between /24 and /24 or /24 from NAT. Traffic destined for anywhere else is subject to NAT overload:

access-list 110 deny ip

access-list 110 deny ip

access-list 110 permit ip any

route-map nonat permit 10

match ip address 110

ip nat inside source route-map nonat interface FastEthernet0/0 overload

It is taken from this link:


mattiaseriksson Thu, 08/02/2007 - 02:13

Yes, but you need to use the route-map with your static command. This example is for dynamic NAT (PAT).

You just add a route-map statement to the end of the static command. Lookup the nat inside command in the manual.

Configure the route-map like in the example to DENY traffic destined for the vpn and permit everything else.

Damian Halloran Thu, 08/02/2007 - 02:23

One last question: Does it need to be on both ends of the VPN or just the end where the services that I am trying to reach are located?

mattiaseriksson Thu, 08/02/2007 - 02:27

Only where the static NAT is.

The other end (client) will always try to reach the services using the real ip address, you need to make sure that the traffic coming back is NOT translated.

Damian Halloran Thu, 08/09/2007 - 17:34


Thank you very much for your help. Even though your answer wasn't the one it did start me on the right track. The problem with using the route-map command with the static nat command is that it wasn't supported in the IOS version i had.

I found this suggestion from 2004 which has resolved the problem which I've posted here in case others need it.


Create a loopback interface without the ip nat statement

interface loopback 0

ip address

Create an access list to match the traffic that is being inadvertantly


access-list 199 permit ip host y.y.y.0

the host is private ip because nat has not happened yet, you could be more

specific and do tcp and port but probably will make this more confusing.

y.y.y is your network and I assumed class c.

Create a route-map to match the traffic and set the next hop out the loop


route-map lanint permit 10

match ip address 199

set ip next-hop

Bind the route-map to your lan int

interface ?

ip policy route-map lanint



This Discussion