Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN site to site behind PAT device


I have the below setup:

Internal hosts --> ISA server --> Edge router <<-------------------------->> Remote router --> remote server


Our ISA is doing PAT and hiding all the internal clients behind the IP "". I ineed to initiate VPN tunnel between two hosts behind the ISA which are: and that need to communicate with remote server on the other side with IP

I was able to get the VPN up and ping from the left side (host that resides behind ISA) to the remote server But the ping from the other side is not working. I know it's because we have a PAT device behind our internal servers on the left and to get a two-sided VPN tunnel, I need to create static NAT entries on the ISA for the two servers, but unfortunately, that's not doable at the meantime since these servers are participating in other VPN connections.

My question: Is there any workaround to be applied here without the need of creating static NAT entries and keeping the ISA doing PAT as expected?


Everyone's tags (1)
New Member

VPN site to site behind PAT device

You have to enable the nat-tranperancy feature so the traffic would be encapsulated by UDP 4500 (NAT-T) and overcome the PAT issue with ESP.

It must be enabled by default on both routers, so you need to check, do the following:

crypto ipsec nat-transparency udp-encapsulation



New Member

VPN site to site behind PAT device

Thanks Tariq,

So, even if we have devices residing behind the ISA on the 10 subnet, if we enable NAT-T on the edge router (which is our VPN gateway) that would do the job?