Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IPsec Using Private Addresses


I have a router behind a firewall and I would like to setup a VPN to the router. The router uses only private 10.x space and I would like it to peer IPsec using its loopback IP. The firewall provides a static NAT for the router loopback. I have also opened UDP500 and UDP4500 for ISAKMP and NAT traversal. I can get phase I up, but Phase II cannot come up. It looks to be a problem with using private IP space as the peering source.

Can an IPSec VPN be setup on a router that uses only private IP space which is NATTed on a different device?



Hall of Fame Super Silver

Re: IPsec Using Private Addresses


I have not done quite the thing that you describe so I can not speak from experience. But from my understanding it should be possible. If NAT is done on the firewall (between the router and its peer) it should be transparent to the router. And if you can get phase 1 to work then I think this verifies that it should be possible.

If you get phase 1 but not phase 2 I would guess that the problem may be that the firewall is allowing ISAKMP but is not allowing ESP (and/or AH). Check and see if the IPSec protocols are allowed through the firewall and let us know.



New Member

Re: IPsec Using Private Addresses

Hello Lee

In adition to the static you will have to modify your ACL on the outside (eventually on the inside interface too)

in order to permit esp and ah protocols , between remote ip and static outside ip.

Check PIX firewall config on this sample config

Hope this helps ... rate if it does!

Regards !

CreatePlease to create content