Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VPN s2s tunnel after PAT and NAT on non-cisco


I have cisco 1711. on LAN there is ZYXEL firewall. I have tried to establish s2s tunnel betwenn this LAN zyxel and other Zyxel on the other side with WAN.


interface Serial0

description Polaczenie do Internetu$FW_OUTSIDE$

bandwidth 2048

ip address


ip nat pool PAT prefix-length 29


ip nat inside source static extendable

ZYXEL is LAN and NATed to

my qestion is:

is there posibility to establish s2s tunnel with host that in LAN has NATed to WAN address as above?

New Member

Re: VPN s2s tunnel after PAT and NAT on non-cisco

So you're saying that your configuration is :

Zyxel (LAN ) -> 1711 -> Zyxel (WAN ) and you want to establish a l2l VPN tunnel between the LAN and WAN Zyxel firewalls and you're NATting the LAN Zyxel firewall to a WAN address?

If yes, then your answer is : Yes you can do a VPN but using NAT-Traversal. It's a technology where the IKE ports of the initiator and the responder are changed from their default value of 500 to 4500 in order to support NAT devices working in-between the VPN. If your Zyxel firewall supports NAT-T then there's a good chance this will work

New Member

Re: VPN s2s tunnel after PAT and NAT on non-cisco

thnx for Your kindly reply.

On Zyxel VPN configuration screen I can "thick" option "NAT Travelsal" (now it is unthicked) but no additional configuration options.

Shall I perform additional configuration on 1711 to support Nat-Travelsal on Zyxel?

New Member

Re: VPN s2s tunnel after PAT and NAT on non-cisco

Yeah try checking that option on the Zyxel firewall. On the 1711 there are no configurations required, just do the usual NAT. See if that works

CreatePlease to create content