Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure the VPN tunnel on the VPN concentrator so that remote network cannot access any resources on local network

Core issue

To configure the VPN tunnel so as to block the remote network to access the local network after tunnel establishment, but the local network should have full access to the remote network.


Complete these steps in order to achieve this task:

Local network:
Remote network:

  • NAT the entire Local Network to a single IP address for VPN tunnel. In this example is seen by the remote network as a single IP address, for example, mask

  • Choose Configuration > Policy Management > Traffic Management > NAT > LAN-to-LAN Rules. Click Add, and in NAT Type, choose PAT.

  • Define the PAT rules:

    Source Network (Local Network): Wildcard Mask:

    Translated Network (Fake IP): Wildcard Mask:

    Remote Network (Remote Network): Wildcard Mask:

  • Click Add.

      Now the source of the tunnel is and the destination is:

  • Choose Configuration > Tunneling and Security > IPSec > LAN-to-LAN.

  • Add a new LAN-to-LAN connection.

  • Enable it and in Connection Type, choose Originate only. Under Peer, type in the public IP address of the remote device.

    Local Network: IP Address: Wildcard Mask:

    Remote Network: IP Address : Wildcard Mask:

  • Make sure the remote network, in this example,, knows how to respond to the fake network PAT:
Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:45 PM
Updated by:
Labels (1)