I am personally not sure if the Cisco Router behaviour differs from the Cisco ASA.
If we were to presume a situation where we had 2 ASA firewalls without any NAT configurations and a L2L VPN connection was created between them then they would not require any type of NAT configuration whatsover.
Usually the situation is though that the customer has the Cisco ASA as both an Internet gateway and VPN gateway and that means there is a Dynamic PAT present to enable the users Internet connectivity and this always means that you need a NAT0 configuration to bypass the Dynamic PAT. Naturally there is an option to configure the L2L VPN use the Dynamic PAT address as the source but this is not very usual solution as it blocks all connectivity towards this sites hosts through the L2L VPN connection.
The only IOS devices that I use for L2L VPN connections are different Cisco 6500/7600 series VPN modules or ASR routers. On these devices atleast we dont configure any type of NAT for the L2L VPN connections so my assumption is that you wont need one for your Routers unless they have existing NAT configurations that need to be bypassed.
Are you having problem getting some L2L VPN connection up between some Cisco Routers?
Of course you can use VPN without NAT, and that is also the common way to configure it. You have two ways to implement it:
1) The "modern" way: If both routers are running IOS, then you can use VTIs / IPsec-tunnel-interfaces. On these tunnels you just don't configure NAT.
2) The legacy way: You are using crypto maps on the interface with the "ip nat outside" command. Now you configure your NAT-rule with NAT-Excemption. For that the ACL you reference has deny-statements for your VPN-traffic.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...