Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


I have looked through the posts and thought I found my solution. Unfortunately, I am still no go. I am trying to connect to a Checkpoint VPN concentrator and my peer requires me to NAT my traffic to an external address. Here is my config (I hope you can follow my convention):

access-list 102 permit ip host x.x.x.x y.y.y.y

access-list 103 permit ip host x.x.x.x y.y.y.y

access-list 104 permit ip y.y.y.y

ip address outside w.w.w.w

ip address inside

global (outside) 1 interface

global (outside) 2 x.x.x.x netmask

nat (inside) 2 access-list 104 0 0

nat (inside) 1 0 0

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map mmlmap 30 ipsec-isakmp

crypto map mmlmap 30 match address 103

crypto map mmlmap 30 set peer y.y.y.y

crypto map mmlmap 30 set transform-set myset

crypto map mmlmap 30 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map mmlmap interface outside

isakmp enable outside

isakmp key ******** address y.y.y.y netmask

isakmp identity address

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 64800

New Member

Re: NAT/PAT over VPN

I found the problem. My other VPN tunnel requires sysopt ipsec pl-compatible. Unfortunately, this tunnel won't work with that option. I assume there is no way to have both tunnels work.

CreatePlease login to create content