Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec and NAT

I will admit I am very confused given lack of concrete information available regarding IPSec and NAT.

Is it possible to configure an IPSec VPN behind a NAT router (Cisco 1700)?

I'm currently running an ISA 2006 VPN server and I have no issues connecting to it within the infrastructure (IPSec using pre-shared keys). However I can't reach the server from the outside.

I'm currently using this commands to forward and open up port UDP 500.

ip nat inside source static 209.x.x.100

access-list 111 permit udp any host 209.x.x.100 eq isakmp

Is this configuration even possible through a Cisco 1700? Or must I use PPTP (port 1723)? FYI, the router supports its own VPN but I was wanting to use ISA as it gives me more control in my particular org.



New Member

Re: IPSec and NAT

I am fighting the same problem, but I believe this might help some. Here is an example.

You have a nat rule for local IP to "any" - or general Internet

You have a different nat rule for local IP to the remote LAN through the VPN tunnel. This is simply defined with an access-list and nat rule.

You many even have a different nat rule that will nat you to another IP, but only if going through VPN1...


Your IP address =

Remote LAN over S-2-S VPN1 =

External IP natted to for VPN1 =

Remote LAN over S-2-S VPN2 =

You would have a series of access-lists:

access-list 104 permit ip host

access-list 105 permit ip host

access-list 106 deny ip host

access-list 106 permit ip host any

access-list 107 permit ip host

ip nat inside source route-map nat_rulz1 interface Serial0/0/0 overload

ip nat inside source route-map nat_rulz2

route-map nat_rulz1 permit 10

match ip address 105

route-map nat_rulz2 permit 10

match ip address 106

IPSEC policy for VPN#1 matches access-list 104, after the nat process identifies the interesting traffic and nat's it to the public IP (using acl 105, applied by route-map to nat_rulz2)

IPSEC policy for S-2-S VPN#2 matches access-list 107 to define traffic to be encrypted, which uses the 'real' private IP without NAT

Acl 106 exempts (deny) matching traffic from the "normal" nat process, but only if going to the other LAN past the VPN tunnel.

You can see that it is not exactly simple, but certainly can be done.

CreatePlease to create content