IPSec, NAT, Interface ACL

Unanswered Question
Apr 1st, 2009
User Badges:


clients --- fa0/1 R1 fa0/0 ---ipsec--- fa0/0 R2 --- loopback

R1 fa0/1:

R1 fa0/0:

R2 fa0/0:

R2 Loop0:

I have a lab setup to help me learn about setting up IPSec tunnels and I can get the tunnel up and running with packets passing back and forth, however, when I assign an ACL to the inside interface traffic no longer passes.

A bit more information:

I have noticed that although the inbound ACL seems to kill the connection, I can issue 'sh ip nat trans' and still see translations being made....

here is my relevant config on R1:


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key *** address



crypto ipsec transform-set esp-3des esp-3des


crypto map VPN_crypto 10 ipsec-isakmp

set peer

set transform-set esp-3des

match address VPN_Traffic


interface FastEthernet0/0

ip address

ip nat outside

crypto map VPN_crypto


interface FastEthernet0/1

ip address

ip nat inside

ip nat inside source list VPN_NAT interface FastEthernet0/0 overload


ip access-list extended VPN_NAT

permit tcp any host eq www

permit tcp any host eq 443

permit ip host host

ip access-list extended VPN_Traffic

permit ip any host

ip access-list extended Inside_Allowed

permit ip host

permit ip host any

permit ip any host


Thank you for any advice and assistance in advanced.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
htarra Tue, 04/07/2009 - 07:48
User Badges:
  • Bronze, 100 points or more

The below list contains simple things to check when you suspect that an ACL is the cause of problems with your IPsec VPN.

Make sure that your NAT exemption and crypto ACLs specify the correct traffic.

If you have multiple VPN tunnels and multiple crypto ACLs, make sure that those ACLs do not overlap.

Do not use ACLs twice. Even if your NAT exemption ACL and crypto ACL specify the same traffic, use two different access lists.

Make sure that your device is configured to use the NAT exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and remote access configurations.


This Discussion