Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN over ADSL and NAT

Site to site VPN over ADSL.

Tunnel terminates on a SOHO97 router.

The tunnel requires (by corporate policy) that the host whose traffic is to be encrypted, appears with a particular address, say

The actual IP address of the host is different, say

Can I perform static NAT on the SOHO97 :

ip nat inside source static

and also

access-list 102 permit ip <VPN peer address>


Is there any problem in this configuration / processing flow of these commands ?

Could you give any feedbaack on this ?



Re: VPN over ADSL and NAT


i found this link which is very much inline as per your requirement.

do check out and let me know whether it helped you out or not.

As per your requirement u need to have some static translations on the ports which is reqd for ipsec and isakmp negotiations.


New Member

Re: VPN over ADSL and NAT

That is very interesting, though I believe my situation is somewaht different:

- I have many public IP available

- I have just one VPN gateway (which should act also as NATting device).

SO I was wondering whether ther could be problems associated with this.



Re: VPN over ADSL and NAT

So you want to static NAT the pc on the SOHO and then send it over the ipsec tunnel. So you have nat inside on the inside intf, and nat outside and crypto map on tje outside adsl intf.

I beleive, in the feature path (inside to outside) Nat comes in before ipsec. So the packet will get natted, and then when it hits the crypt map and acl on the outside, the nated packet should match and get encrypted. Reverse happens on outside to inside.

I havent worked muc with the SOHO versions, but beleive it should work.

another simpler alternative is to use EZVPN client mode on the SOHO. So it brings up tunnel to the headend (ezvpn server), gets pused down an ip address, and internally nat's the inside pc's ip to this server-assigned ip before encrypting acoss the tunnel.

Drawback is if you have multiple pc's or the headend side needs to initiate traffic/tunnel. Headend cannot bring up tunnel, and cannot initiate traffic since it does not know what port to send to (since the ezvpn client does internal PAT).


CreatePlease to create content