Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can GRE and IPSEC pass through NAT?

I am running a hub and spoke site-to-site VPN with a few branches on 2611's. My plan is to add a screening Router in the hub location (which is an extra 2611) in front of the present 2611 creating a DMZ.

The new screening router will hold the public IP's and be performing NAT. I have 5 static IP's to use.

Will i be able to allow GRE and IPSEC through the screener and terminate the tunnels on the inside router or will i have to terminate them on the screening router? Any suggestions how to set this up?


Cisco Employee

Re: Can GRE and IPSEC pass through NAT?

Yep, you can do this. The NAT will have to be a one-to-one static NAT translation, not PAT and not dynamic out of a pool of addresses. The spokes "tunnel dest" will all point to the NAT'd address on the screening router. The inside hub router simply points to the actual spoke addresses, nothing changes on that side.

See for details, the firewall in this sample config is your screening router.