Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ipsec site to site vpn NAT

hi all,

i have one small doubt may be it is silly,

is NAT is must on the ipsec site to site vpn?

means there has to be nat inside and nat outside interfaces or without nat also we can do site to site vpn?

because i am trying to connect two routers with physical cable.(outside interfaces).

then i am trying to make ipsec site to site to communicate internal interface from one end to communicate otherside internal networks.



Super Bronze

Re: ipsec site to site vpn NAT


Sorry for going slightly off topic.

I am personally not sure if the Cisco Router behaviour differs from the Cisco ASA.

If we were to presume a situation where we had 2 ASA firewalls without any NAT configurations and a L2L VPN connection was created between them then they would not require any type of NAT configuration whatsover.

Usually the situation is though that the customer has the Cisco ASA as both an Internet gateway and VPN gateway and that means there is a Dynamic PAT present to enable the users Internet connectivity and this always means that you need a NAT0 configuration to bypass the Dynamic PAT. Naturally there is an option to configure the L2L VPN use the Dynamic PAT address as the source but this is not very usual solution as it blocks all connectivity towards this sites hosts through the L2L VPN connection.

The only IOS devices that I use for L2L VPN connections are different Cisco 6500/7600 series VPN modules or ASR routers. On these devices atleast we dont configure any type of NAT for the L2L VPN connections so my assumption is that you wont need one for your Routers unless they have existing NAT configurations that need to be bypassed.

Are you having problem getting some L2L VPN connection up between some Cisco Routers?

- Jouni

VIP Purple

ipsec site to site vpn NAT

Of course you can use VPN without NAT, and that is also the common way to configure it. You have two ways to implement it:

1) The "modern" way: If both routers are running IOS, then you can use VTIs / IPsec-tunnel-interfaces. On these tunnels you just don't configure NAT.

2) The legacy way: You are using crypto maps on the interface with the "ip nat outside" command. Now you configure your NAT-rule with NAT-Excemption. For that the ACL you reference has deny-statements for your VPN-traffic.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

Don't stop after you've improved your network! Improve the world by lending money to the working poor: