Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec, NAT, Interface ACL


clients --- fa0/1 R1 fa0/0 ---ipsec--- fa0/0 R2 --- loopback

R1 fa0/1:

R1 fa0/0:

R2 fa0/0:

R2 Loop0:

I have a lab setup to help me learn about setting up IPSec tunnels and I can get the tunnel up and running with packets passing back and forth, however, when I assign an ACL to the inside interface traffic no longer passes.

A bit more information:

I have noticed that although the inbound ACL seems to kill the connection, I can issue 'sh ip nat trans' and still see translations being made....

here is my relevant config on R1:


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key *** address



crypto ipsec transform-set esp-3des esp-3des


crypto map VPN_crypto 10 ipsec-isakmp

set peer

set transform-set esp-3des

match address VPN_Traffic


interface FastEthernet0/0

ip address

ip nat outside

crypto map VPN_crypto


interface FastEthernet0/1

ip address

ip nat inside

ip nat inside source list VPN_NAT interface FastEthernet0/0 overload


ip access-list extended VPN_NAT

permit tcp any host eq www

permit tcp any host eq 443

permit ip host host

ip access-list extended VPN_Traffic

permit ip any host

ip access-list extended Inside_Allowed

permit ip host

permit ip host any

permit ip any host


Thank you for any advice and assistance in advanced.



Re: IPSec, NAT, Interface ACL

The below list contains simple things to check when you suspect that an ACL is the cause of problems with your IPsec VPN.

Make sure that your NAT exemption and crypto ACLs specify the correct traffic.

If you have multiple VPN tunnels and multiple crypto ACLs, make sure that those ACLs do not overlap.

Do not use ACLs twice. Even if your NAT exemption ACL and crypto ACL specify the same traffic, use two different access lists.

Make sure that your device is configured to use the NAT exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and remote access configurations.