Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Site to Site With NAT

Hi all,

Can someone help me please

An inside server ( need to access to a remote network

A VPN site to site is established between Pix outside ( and Multitech Firewall (

Now my inside server should connect to the remote network with this IP So I have to Nat my inside server IP ( to

The remote network should connect to inside network by the

My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.

The weird thing is I can ping from both network each other.

This is my config below

access-list Outside_1_cryptomap extended permit ip

access-list Inside_nat_static extended permit ip host I92.168.92.6

static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

service-policy global_policy global

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

Thanks for answers

New Member

Re: VPN Site to Site With NAT

Hi fallkaired,

I would say that if you change your NAT to:

static (inside,outside) netmask

things should work.

Good luck!


New Member

Re: VPN Site to Site With NAT

thanks for your answer but it still not working. I have the same problem

New Member

Re: VPN Site to Site With NAT

ok, first thing to check here is your crypto ACL on the remote site. Is it an exact mirror of the ACL on the local site?

Do you have ACLs on the remote site possibly blocking your TCP traffic?

Then, what kind of messages do you get when trying to connect to the outside?

At least you should see a packet coming in from and you should see messages like "building xlate entry for... " pointing to the fact translation occurs.

After that you should see the tunnel being built (terminal monitor), you should get isakmp sa's and after that ipsec sa's.

When that is all going as expected, you should be able to see your packets getting encrypted e.g. being transferred through the tunnel (show crypto ipsec sa).

If your connection get this far, the remote site should be reviewed.


New Member

Re: VPN Site to Site With NAT

Its working fine now. Your 're rigth the TCP traffic was not permit on the remote site.

thank for your help

New Member

Re: VPN Site to Site With NAT

cool :)

You're welcome