Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site2Site VPN or NAT issue

I have a site to site vpn from an 877 to an 1841. Everything works fine for the VPN but I am having problems with allowing access from the internet to internal servers on the LAN attached to the 1841.

If I add an ip nat inside statement for a service (for example RDP) the that service stops working over the VPN. It does work from the internet however.

Is this a NAT issue of some sort?

I've attached the bland config of the 1841 removing references to client specifics, and bits not relevant to this problem.

Thanks for any assistance.


Re: Site2Site VPN or NAT issue

Yes you need to use a route-map with your NAT statements.

The route-map option can be used to translate only traffic going to the public network, and not translate traffic destined for the VPN.

New Member

Re: Site2Site VPN or NAT issue

Is this what I need here:

Make sure that your device is configured to use the NAT Exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and Remote Access configurations.

Here, an IOS router is configured to exempt traffic that is sent between /24 and /24 or /24 from NAT. Traffic destined for anywhere else is subject to NAT overload:

access-list 110 deny ip

access-list 110 deny ip

access-list 110 permit ip any

route-map nonat permit 10

match ip address 110

ip nat inside source route-map nonat interface FastEthernet0/0 overload

It is taken from this link:


Re: Site2Site VPN or NAT issue

Yes, but you need to use the route-map with your static command. This example is for dynamic NAT (PAT).

You just add a route-map statement to the end of the static command. Lookup the nat inside command in the manual.

Configure the route-map like in the example to DENY traffic destined for the vpn and permit everything else.

New Member

Re: Site2Site VPN or NAT issue

One last question: Does it need to be on both ends of the VPN or just the end where the services that I am trying to reach are located?

Re: Site2Site VPN or NAT issue

Only where the static NAT is.

The other end (client) will always try to reach the services using the real ip address, you need to make sure that the traffic coming back is NOT translated.

New Member

Re: Site2Site VPN or NAT issue


Thank you very much for your help. Even though your answer wasn't the one it did start me on the right track. The problem with using the route-map command with the static nat command is that it wasn't supported in the IOS version i had.

I found this suggestion from 2004 which has resolved the problem which I've posted here in case others need it.


Create a loopback interface without the ip nat statement

interface loopback 0

ip address

Create an access list to match the traffic that is being inadvertantly


access-list 199 permit ip host y.y.y.0

the host is private ip because nat has not happened yet, you could be more

specific and do tcp and port but probably will make this more confusing.

y.y.y is your network and I assumed class c.

Create a route-map to match the traffic and set the next hop out the loop


route-map lanint permit 10

match ip address 199

set ip next-hop

Bind the route-map to your lan int

interface ?

ip policy route-map lanint


CreatePlease to create content