Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

site-to-site IPSec VPN, one site behind PAT, one behind NAT 1:1

Hi cisco community,

i am now trying to achieve a scenario, which is in pictured below.


It should be a site-to-site VPN on IPSec. The site on the left is behind PAT and for our purpose will be marked as Branch site. I do not have access to the ISP router and i cannot do any changes there. The site on the right is marked as HeadQuarters and is behind NAT 1:1. Also on this site there is no possibility to make any change on ISP router. Here at Headquarters will be the termination point for IPSec tunnel. Only the cross-site communication have to be routed through tunnel, all other comunication should be going out the ISP link. Branch site router is Cisco 871 and Headquarters router is Cisco 881. My question is, for the experienced people here, if there are any problems i will have to addrees during IPsec implementation, caused by those two NATs on the way. I have very little experience with IPSec, but i heard IPSec and NAT does not "like" each other.

In the future there is a plan for another site(s) in mesh topology and maybe for remote networkers (roadwarriors) to connect to Headquarters, but this is not a major concern now.

Please feel free to share your ideas.

Everyone's tags (5)
Community Member

Re: site-to-site IPSec VPN, one site behind PAT, one behind NAT

If anybody would be interested i made this solution.

I have used DMVPN as it is a very good feature and saves a lot of static configuration.

The final topology is as you see below. The presumption is that the ISP routers are not accessible for us, they are only used as transport nodes.

The DMPVN is dual headend and the Hubs are Cisco_892 which have routed public ip and Cisco_892J which have NAT 1:1 behind static public IP. Cisco_881W is behind PAT so it acts as a spoke only.

IPSec is used in transport mode to go through NAT.

There is an IP SLA done on Cisco_881W to both other locations so the tunnel will be established and maintained from behind the PAT (obiously it cannot be done from outside).

Cisco_892J and Cisco_881W have also a ZBF applied, with the traffic from VPN tunnels implicitly trusted (zone is the same as internal networks).

EIGRP 10 is used as routing protocol for discovering networks behind neighbours through tunnels. The EIGRP is in default configuration, there are some reccomendations that the holddown timers should be changed.

I have used 3745 as platfrom with IOS  c3745-adventerprisek9-mz.124-15.T14  (cause of ZBF).


CreatePlease to create content