NAT - exception and IPSEC

Unanswered Question
Sep 25th, 2009


We have to configure a site-to-site VPN over internet. ( only for one host from each location ) on Cisco ISR and also access this host from internet.

We have configured access-list for crypto map as follows

access-list 111 permit ip source_host Dect_host.

For this particular host there is no corresponding NAT. As remaining all NAT are static for one host to host. ( for example --> Public_ip1, ---> Public_ip2).

Now as we have configured site-to-site IPSEC for one particular host it is working fine. It is communicating with other end of the tunnel and it is using the Public_IP address of "Outside"

interface of our router.

As next step, we need to access this particular host from internet and not only from VPN tunnel. Can it be done?

How can one more NAT be added for this host ( host--> Public_IP3), so that this host can be accessed from Public_IP3.

Can configuring NAT with access-list solve our problem?

Any example on is highly appreciable.

Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Laurent Aubert Fri, 09/25/2009 - 18:20


You can try the following configuration:

ip nat inside static route-map test


route-map test permit 10

match ip address 112


access-list 112 deny ip host host

access-list 112 permit ip host any


Another solution could be to have a dedicated tunnel interface (GRE or VTI based). So VPN will never be translated as there is no ip nat outside configured on the tunnel interface. In this case you don't need the route-map.




This Discussion