Cisco Support Community
Community Member

VPN Dropp static nat

hi every one .

i have router 2911 configured for site-to-site vpn , and there is web server published with static nat .

when the static nat in place , the remote vpn site cannot access the web server throw vpn

and when i remove the static nat , the remote vpn site can access the web server throw vpn ???

and i need to keep both ( published web server to internet and remote vpn users can access the web server throw vpn)

i'll appreciate any help  !




 Hi ,  Can you try to perform


Hi , 


Can you try to perform a NAT IDENTITY to the server, 

Create an ACL with the source and destination IP you don't want to translate and deny that in the ACL and permit any  other traffic which you want to get translated

Create your NAT using that ACL...

Ex: access-list NAT-ACL deny ip any

     access-list NAT-ACL permit ip any

ip nat inside list nat-acl

Any traffic generated from will not get "Natted" but does.





Community Member

hi rvarelac  thank you for

hi rvarelac  thank you for reply :

i allready done that ,  i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !


crypto isakmp policy 10

 encr aes

 authentication pre-share

crypto isakmp key 12344321 address


crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac

 mode tunnel


crypto map s2s 100 ipsec-isakmp

 set peer

 set transform-set Remote-Site

 match address vpnacl


interface GigabitEthernet0/0

 crypto map s2s


Extended IP access list lantointernet

30 deny icmp

40 deny igmp

50 deny ip

80 permit ip any any




Hi,You can do the nat-exempt


You can do the nat-exempt / no-nat for the VPN pool. If you do so outside internet to server access would be performed by the defined static nat and no-nat rule will be doing access for the vpn users.




CreatePlease to create content