Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec and nat

i am trying to get ipsec protocol 50/51 to work on a 2811 router that is doing nat. i have created an acl to allow esp/ah on the in/out int but still not working. is there anything else required to allow ipsec to work with nat.


Re: ipsec and nat


If you are trying to terminate the ipsec on a device behind the nat router, then you will have to configure a static on the router.

New Member

Re: ipsec and nat

what i am trying to do is allow a visitor/vendor to phone home using ipsec vpn client on a router that is running nat/overload. i have the following configured in the router and applied to the internal(private)and external(internet facing) interfaces.

ip access-list extended ipsec

remark SDM_ACL Category=4

permit esp any any

permit ahp any any

i am running sdm (security device mgr on the 2811)

thanks for your support.

New Member

Re: ipsec and nat

Am I getting this right?

- You have a visitor inside your network using a VPN Client.

- He has a IPSEC router with IPSEC NAT Transparrancy enabled at home.

- Your router is doing FW / NAT / PAT in between

If this is the case you should permit UDP IKE-NONE500 (i believe it is port 4500 (or 10000)) to travel through your router..

When using NAT Traversal, ESP is encaptulated i a UDP packet to be able to travel trough the NAT devices.

Hope This Helps



CreatePlease login to create content