ipsec vpn behind nat

Unanswered Question
May 29th, 2008
User Badges:

Hi, I would like to buld a site to siet vpn between 2 routers and behind nat:


| (public)


| (piublic)


| (private)

I can easily assign a crypto map with and peer destination But how do i specify from the peer address destination which is but not directly "routable" because behind nat

Is there a way, a solution to make ipsec tunnels site to site but wit server client, kind of dynamic ipsec tunnel where one of the site initiate the tunnel to the server ...


alexandre durand

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Thu, 05/29/2008 - 10:56
User Badges:
  • Blue, 1500 points or more

just peer with the public IP of each side. if one side changes or is using a nat pool (instead of one to one nat) you will have to use another option, like dynamic crypto maps..

michael.leblanc Thu, 05/29/2008 - 11:46
User Badges:
  • Silver, 250 points or more

Crypto maps are applied to the "external" interfaces, and peer statements in the crypto maps would reference the far-side "external" interface address.

Crypto ACLs would reference the "internal" network IDs, to identify traffic that requires crypto treatment.

If you are interested in dynamic crypto maps with control over which device initiates tunnel setup, you might want to read up on the "Easy VPN Remote" feature.

There are multiple modes that can be used on the remote side.

durale1789 Fri, 05/30/2008 - 01:29
User Badges:

Thank you for you replies there are 2 options either easy vpn client but it requires cisco at the other end ...or that one:

crypto keyring spokes

pre-shared-key address key cisco123

crypto isakmp profile L2L

description LAN-to-LAN for spoke router(s) connection

keyring spokes

match identity address

here is the cisco url link where u can find further information about it:


I m gonna test those 2 options

I still don t know how to push acl with easy vpn client and remote mode.

thank you for your advices






This Discussion