Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

how to configure site to site VPN using NAT

Hi Cisco Engineers,

ive heard from the training videos (cbt nuggets)that with mixing VPN and NAT configuration, you must excluded the ip address from being NAT(ed) to be able to accross VPN going to the other side, do i make sense?

i want to set site to site vpn and all the clients behind these router are able to surf the internet and it is permitted using NAT. please help to enligthen these from the video training that ive seen.

any documentation should i followed when it comes to configuration.?

Hoping for your future response



Community Member

Re: how to configure site to site VPN using NAT


This is simple. After you have created the Site-to-Site VPN tunnel, you need to add a NAT Rule - NAT-Exempt so that the traffic is NOT being NAT't.

From the ASDM, Configure - Firewall - NAT Rule and add a NAT-Exempt Rule to the interface that you NAT network is behind. Source is your network and destination is remote network.

Hope this works

Re: how to configure site to site VPN using NAT

A simple IOS example:

ip access-list extended nat-src

remark --- Inside source addresses dynamically translated via PAT overload.

deny ip

permit ip any

The first ACE would exclude tunnel traffic ( near side, far side) from the NAT process.

The second ACE would NAT any traffic not being sent to far side addresses (through the tunnel).

CreatePlease to create content