Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

1811 ipsec vpn with nat

Hello all,

This is my first post on a forum so bare with me

Here's my setup.

Site A:  1811 with ipsec VPN to Site B and Site C

inside /24

Site B:  1811 with ipsec VPN to Site A

inside /24

Site C:  1811 with ipsec VPN to Site A

inside /24

Sites B and C do not have connectivity, nor do they need to.

Because Sites B and C have overlapping subnets I am attempting to NAT the entire inside network of Site C via a nat pool and route-map.

We are overloading for internet connectivity at each site.

The tunnel between Sites A and C becomes active only when initiated from Site C (where I am nat'ing the entire inside subnet).  I can ping and telnet from Site C to Site A successfully.

However, I cannot ping or telnet from Site A to Site C even after the tunnel is established.

I am using a NAT pool with 'match-host' and route-map in Site C.  I can see the nat translation table in Site C shows the proper nat's but only when initiated from Site C.  The nat table is blank when initiating the traffic from Site A.

What am I missing?

Any help is GREATLY appreciated.  I've been banging my head against this for the better part of a week.  I think I have the configuration correct according to what I've read online.

The ACL's and NO-NAT entries seem to be correct considering I do have connectivity from one side.  This seems like a NAT issue whereas the NAT is never created unless the traffic is initiated from Site C where the NAT is configured.

Please let me know if you need additional information or config's.

Everyone's tags (4)
New Member

1811 ipsec vpn with nat

No takers on this?  Is there information missing that might be helpful?

static nat works without issue but I don't want the addresses nat'd for all VPN connections.