Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Help with VPN using NAT.


I'm in need of some urgent help please.

I have configured my VPN following this:

Basically I'm NATting a whole subnet before sending it over the tunnel.

The only thing that differs is that I've used a route-map with my static translation:

ip nat inside source static network /16 route-map CAP

route-map CAP permit 10

match ip address 115

access-list 115 permit ip

access-list 115 permit ip

I can see that it is being translated:

router#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- --- ---

Subnet translation:

Inside global Inside local Outside local Outside global /prefix --- --- /16

But it does not bring the tunnel up. In debug it appears to not even be attempting to initiate. I can see that the access list applied to the crypto map is not being hit.

HOWEVER when I add the untranslated subnet to the access-list, i.e.,:

access-list 173 permit ip

access-list 173 permit ip

I can see the hit count incrementing for!!! I'm not sure how this is possible when it has been translated. This also brings the tunnel up (but not fully, as it's not configured on the other end, I'm just using it for testing).

Any ideas? Do I need a next hop address configured on my route map?

Any comments would be very much appreciated.




Re: Help with VPN using NAT.

For instructions on how to configure a Network Address Translation Traversal (NAT-T) between Cisco VPN Clients located behind a Port Address Translation (PAT)/NAT device and a remote Cisco VPN Concentrator, refer to Configuring Multiple VPN Clients to a Cisco VPN 3000 Concentrator Using NAT-Traversal.

CreatePlease to create content