Unanswered Question
Jun 3rd, 2010
User Badges:

I am trying to PAT my internal network to an external IP over an ipsec tunnel and can't quite find the solution - here is the config I am trying:


isakmp policy 15

  authentication pre-share

  encryption AES-256

  hash sha

  group 5

  lifetime 86400


crypto ipsec transform-set ABC esp-aes-256 esp-sha-hmac

crypto map outside_map 15 match address ABC

crypto map outside_map 15 set peer

crypto map outside_map 15 set transform-set ABC

crypto map outside_map 15 set pfs group5

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

  pre-shared-key xxxxxxx

Access List

access-list ABC remark L-2-L VPN to ABC

access-list ABC extended permit ip


global (outside) 15 access-list ABC
nat (inside) 15

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 06/03/2010 - 09:12
User Badges:
  • Green, 3000 points or more


Since you're going to PAT the interesting traffic before sending it through the tunnel, the tunnel can only be initiated from your side.

Check if the traffic from the internal network is being PATed with the command ''sh xlate local 10.6.0.x''  --> computer where traffic is initiated.

If you see the translation built, then check if the tunnel is trying to establish with the commands ''sh cry isa sa'' and ''sh cry ips sa''

With this we should be able to see where the problem is.


m.kafka Fri, 06/04/2010 - 02:07
User Badges:
  • Bronze, 100 points or more

Hi occonorm,

the example you gave doesn't really illustrate in detail what you want.

I can only assume from the access-list ABC, that the IPsec local-ident is (the patted internal hosts) and the remote-ident is

In that case it would be simple:

An access list describes the traffic to be patted, that access list is used with a nat (inside) and the matching global (outside) has the VPN-pat address.

access-list XYZ permit ip

nat (inside) 15 access-list XYZ

global (outside)

the crypto mat is using a match address for and

hope that helps, if you cant find the solution please post more details, a little network sketch etc...

rgds, MiKa


This Discussion