Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec VPN through NAT?

I've got a PIX-to-PIX VPN Tunnel between CO and Chicago that works when the regular link is up. My ISP's main link in Chicago just failed, but they have routed it through some emergency links they put in place. The temporary links include a NAT from a new IP to the old.

So, I have modified the PEER on my CO PIX and restarted the CRYPTO MAP. I can SSH into the remote (CH) PIX via the NATed external IP address, and the VPN appears to be up, but I can't pass traffic across it.

The inbound ESP SAS SPI in CO matches the outbound ESP SAS SPI in CH, and vice-versa. It seems like a routing problem, but I don't see where.

Any other thoughts?


Cisco Employee

Re: IPSec VPN through NAT?

Hi Tim,

Try clearing the ARP cache on both the sides, Also try reloading the PIX to make sure its not stuck in any state since the link failure and is still trying to route through the old paths. If it still doesn't help then open up a TAC case with Configs for further troubleshooting on this.