Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member



We enable the VPN and NAT on the same route. we would like following:

1. can NAT to outside internet (using x.x.x.x overload)

2. can access to TW office via VPN

detail please refer the config file. The VPN is working if we use extend ping

we find that always goes to Gi 0/0 if we access network. Anything missing in my config? please advise.

Best regards




crypto map mymap 101 ipsec-isakmp

description VPN to TW office

set peer 201.x.x.x

set transform-set myset

match address 101


interface GigabitEthernet0/0

ip nat outside

crypto map mymap


interface GigabitEthernet0/2

ip address

ip nat inside


ip nat pool NAT x.x.x.x x.x.x.x netmask

ip nat inside source route-map nonat pool NAT overload

access-list 100 deny ip

access-list 100 permit ip any

access-list 101 permit ip

route-map nonat permit 10

match ip address 100

Cisco Employee

Re: NAT and VPN

This is abosultely fine. You have only one link and you are setting up VPN over the internet to TW office. Any traffic which will leave for the internet or VPN will always for Via Gig 0/0 as that is the your outside facing link.

If you have any other link on the router then you can use PBR to have internet traffic go via one link and the VPN traffic go via another link.

HTH,Please rate if it does.

-amit singh

New Member

Re: NAT and VPN

Hi, there is one Internet link (gi ethernet)

We would like:

A. --> --> gi ether ----> VPN

B. --> ---> gi eth -----> internet

currently, "A" is not working, It seems that it goes "B" no matter what destionation IP address.

any advise?

Cisco Employee

Re: NAT and VPN

What I can get from the above post is that you are able to go to the internet but unable to connect to the TW office, is that correct?

If yes, What does the output " show crypto isakmp sa " tells you on routers both your end and TW end. It seems that your VPN is not working to the TW site. Please paste the output of " Show crypto map " as well.


-amit singh

New Member

Re: NAT and VPN


Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

140 x.x.x.x y.y.y.y ACTIVE des md5 psk 1 23:48:23

Connection-id:Engine-id = 140:1(software)