Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client Internet access

My cisco vpn client connects to a cisco router at central site. Everything is working fine and I can access local resources.

Nevertheless, the vpn tunnel should also be used to access the internet via central site router. But this doesn´t work. I have started some debugs at the central site router:

- router receives my packets via vpn tunnel on s0/0.

- router forwards the packets via s0/0 and the next

hop to the public destination

- interface s0/0 is <ip nat outside>, but there are

no translations ...!

- <show ip packets detail>: my packets are leaving

central site router without "natting" source

address (which is the private address assigned to

my vpn client)

NAT is not woking with packets entering through the

tunnel and leaving the router via the same interface.

Any idea?

Thanks in advance


  • Other Security Subjects
Cisco Employee

Re: VPN Client Internet access

NAT only works on packets that enter the router on an interface with "ip nat inside" configured, and leaves the router on an interface with "ip nat outside" configured on it. Your traffic is not doing this and therefore is not NAT'd.

You can change your VPN pool of addresses to be valid routable IP addresses and this'll get around this problem.

A better way is just to configure split tunnelling, then Internet based traffic will be sent straight out to the Internet in the clear, rather than use up your router cycles.

New Member

Re: VPN Client Internet access

NAT works only when the ingress interface has "ip nat inside" and egress has "ip nat outside" or if you configure NAT on Stick using policy based routing. In this case the encrypted traffic enters the Router via S0/0. You can try using either one of these options.


Configure the IPSec VPN client termination to the router in such a way that the tunnel terminates on an interface other than the one used for the Internet access. In this case an 'ip nat inside' on the inbound and "ip nat outside" on the egress would help.


In the present scenario you can try and configure NAT on Stick and use PBR to route the traffic to hit a loopback interface having configured with 'ip nat inside'. and the egress with 'ip nat outside'.

New Member

Re: VPN Client Internet access

Thanks, sounds well! Should I use a set criteria with PBR like ? The match criteria should classify the unencrypted traffic coming from the client, or everything encapsulated in ESP?

Thanks in advance


This widget could not be displayed.