IOS IPSEC Site-to-Site Tunnel

Unanswered Question
Jon Marshall Fri, 11/20/2009 - 14:59
mopaul Fri, 11/20/2009 - 16:42


host router  ]] 

My understanding is , you are asking if you can NAT the internal host to the router's public ip addr or not ? Where is the tunnel end point for Ipsec. Please correct me if am wrong.

If thats is what you are asking , then here is your answer:-

""It would be like static nat for interface to an inside address so anything coming at interface will get translated including upd 500. Hence Ipsec will fail""

So instead using the router's public ip address, use any free available ip address if you have any.

Hope this answers your questions



Durga Prasad M.S Sat, 11/21/2009 - 11:08


As long as you map the required ports (TCP or UDP) only for the application, the Ports for IPSEC dont get forwarded and you get to create a VPN tunnel to the Interface.

see this below example.mapping port 25 to inside ip

static (inside,outside) tcp interface 25  25 netmask


Durga Prasad

Rate if this helps


This Discussion