Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site - Site VPN using routers and private ip on serial link to ISP

I am connecting a remote site to HQ using 2611XM routers and IPSEC. I did a very similiar setup a few months back and everything went great. This time however, the remote site ISP has provided a Private IP on the serial link to the Internet. I have been provided a set of public IP's which I use to NAT (PAT) the private internal network.

My question is how do I define the peer address for the crypto command on my HQ router ? Normally, the peer address is the address of the serial port of the remote router. Here in this case, it is a private IP and hence how do I define it.


interface FastEthernet1/0

ip address

ip nat inside


interface Serial1/0

description Link to the Internet

ip address

ip nat outside


ip nat pool RG-Geoge-natpool netmask

ip nat inside source list nat-list pool RG-Geoge-natpool overload


ip classless

ip route


ip access-list extended nat-list

permit ip any


  • Other Security Subjects
New Member

Re: Site - Site VPN using routers and private ip on serial link


you have defined a nat pool which is not part of your configured IP segments. If this config is correct, then your serial interface has to be "natted" also by your ISP to a public IP adress. Then you can build a crypto map in tunnel mode on the serial interface. On the remote site you must define the peer address as your ISP does the NAT-address for your serial interface. CAUTION: IPsec NAT is not provided by every Router and even not by every CISCO IOS. So talk to your ISP and get a public address and also get clear that ESP providing is enabled.

Hope this helps a bit

Regards Norbert Steup

This widget could not be displayed.