how to configure site to site VPN using NAT

Unanswered Question
Jun 2nd, 2008

Hi Cisco Engineers,

ive heard from the training videos (cbt nuggets)that with mixing VPN and NAT configuration, you must excluded the ip address from being NAT(ed) to be able to accross VPN going to the other side, do i make sense?

i want to set site to site vpn and all the clients behind these router are able to surf the internet and it is permitted using NAT. please help to enligthen these from the video training that ive seen.

any documentation should i followed when it comes to configuration.?

Hoping for your future response



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
janchristianbrataas Tue, 06/03/2008 - 03:12


This is simple. After you have created the Site-to-Site VPN tunnel, you need to add a NAT Rule - NAT-Exempt so that the traffic is NOT being NAT't.

From the ASDM, Configure - Firewall - NAT Rule and add a NAT-Exempt Rule to the interface that you NAT network is behind. Source is your network and destination is remote network.

Hope this works

michael.leblanc Tue, 06/03/2008 - 07:19

A simple IOS example:

ip access-list extended nat-src

remark --- Inside source addresses dynamically translated via PAT overload.

deny ip

permit ip any

The first ACE would exclude tunnel traffic ( near side, far side) from the NAT process.

The second ACE would NAT any traffic not being sent to far side addresses (through the tunnel).


This Discussion