Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

A couple of site-to-site questions


1. Is there a way to create a site-to-site tunnel but only allow one side to initiate the tunnel?

2. Can you NAT across a VPN tunnel?

If either of these is possible, could you point me to configuration examples or documentation on how to accomplish these?



Re: A couple of site-to-site questions

1. Yes. The end which shouldn't call out is configured as a dynamic crypto map (i.e. no peer IP).

2. Yes. It would NAT before it hits the crypto ACL, so crypto-ACL refers to NATed addresses.

New Member

Re: A couple of site-to-site questions

Thanks for you resopnse. Can I ask you to elaborate on the NAT answer? The network we a VPNing to has the same ip scheme we do.

Thank you again very much!

Re: A couple of site-to-site questions

Key to this is understanding the order in which ACLs, NAT and VPN happen:

Coming in from the internet, packets are decrypted (if coming over a VPN), then hit the ACL, then are NATed, then routed.

Going out to the internet, the packet will be hit the inside ACL, be routed to the outgoing interface, then NATed, then hit the VPN config.

if you want to their IPs, do a reverse NAT:

static (outside,inside) [destination_IP_as_seen_on_inside] [real_IP_of_destination] netmask 0 100

access-list VPN_traffic_as_seen_on_inside permit ip [your_IPs_before_NAT] [destination_IPs_as_seen_on_inside]

if you want to hide your IPs behind a single PAT address:

nat (inside) 2 access-list VPN_traffic_as_seen_on_inside 0 100

global (outside) 2 a.b.c.d

or you could hide behind a subnet with a policy NAT:

static (inside,outside) [your_IPs_after_NAT] access-list VPN_traffic_as_seen_on_inside

now the crypto ACL will refer to your NATed IPs and their real IPs:

access-list VPN_traffic_after_NAT permit ip host a.b.c.d [real_IP_of_destination]


access-list VPN_traffic_after_NAT permit ip [your_IPs_after_NAT] [real_IP_of_destination]

apply this to crypto map:

crypto map .... match address VPN_traffic_after_NAT

any ACL inbound on the inside interface would be:

access-list in_inside_interface permit ip [your_IPs_before_NAT] [destination_IPs_as_seen_on_inside]