https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874984#M153296 <P>yes, it will be captured by the 'permit ip any any' at the end of the NO-NAT ACL.</P> Mon, 06 Jun 2016 08:26:04 GMT johnlloyd_13 2016-06-06T08:26:04Z https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874981#M153293 <P>Hello guys and trying to setup LAN to LAN tunnel between two sites and its not working for me.. I thing traffic is being natted before it leaves PAT router.</P> <P>I attached topology and running config</P> <P><STRONG>R2 configs!</STRONG></P> <P>R2#show run<BR />Building configuration...</P> <P>Current configuration : 1734 bytes<BR /><BR />hostname R2<BR /><BR />!<BR />crypto isakmp policy 1<BR />encr aes<BR />authentication pre-share<BR />group 5<BR />lifetime 84600<BR />crypto isakmp key cisco address 10.1.2.2<BR />!<BR />crypto ipsec security-association lifetime seconds 86400<BR />!<BR />crypto ipsec transform-set myset esp-aes esp-sha-hmac <BR />!<BR />crypto map mymap 10 ipsec-isakmp <BR />! Incomplete<BR />set peer 10.1.2.2<BR />set transform-set myset <BR />match address 100<BR />!&nbsp;<BR />interface Loopback0<BR />ip address 2.2.2.2 255.255.255.255<BR />!<BR />interface FastEthernet0/0<BR />ip address 10.1.1.2 255.255.255.252<BR />ip nat outside<BR />crypto map mymap<BR />!<BR />interface FastEthernet0/1<BR />ip address 192.168.1.1 255.255.255.0<BR />ip nat inside<BR />!<BR />ip route 0.0.0.0 0.0.0.0 10.1.1.1<BR />!<BR />ip nat inside source list 10 interface FastEthernet0/0 overload<BR />!<BR />access-list 10 permit any<BR />access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255<BR />!<BR />end<BR />----------------------------------------------------------<BR /><STRONG>R4#show run</STRONG><BR />Building configuration...</P> <P>Current configuration : 1774 bytes<BR />hostname R4<BR />!<BR />crypto isakmp policy 1<BR />encr aes<BR />authentication pre-share<BR />group 5<BR />crypto isakmp key cisco address 10.1.1.2<BR />!<BR />crypto ipsec security-association lifetime seconds 86400<BR />!<BR />crypto ipsec transform-set myset esp-aes esp-sha-hmac <BR />!<BR />crypto map mymap 10 ipsec-isakmp <BR />set peer 10.1.1.2<BR />set transform-set myset <BR />match address 100<BR />!<BR />interface Loopback0<BR />ip address 4.4.4.4 255.255.255.255<BR />!<BR />interface FastEthernet0/0<BR />ip address 192.168.2.1 255.255.255.0<BR />ip nat inside<BR />!<BR />interface FastEthernet0/1<BR />ip address 10.1.2.2 255.255.255.252<BR />ip nat outside<BR />crypto map mymap<BR />!<BR />ip route 0.0.0.0 0.0.0.0 10.1.2.1<BR />!<BR />ip nat inside source list 10 interface FastEthernet0/1 overload<BR />!<BR />access-list 10 permit any<BR />access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255<BR />!</P> <P>end</P> <P></P> Tue, 12 Mar 2019 07:50:46 GMT https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874981#M153293 ansarjavaid54 2019-03-12T07:50:46Z https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874982#M153294 <P>hi,</P> <P>re-configure your NAT ACL to deny/untranslate the LAN-to-LAN traffic:</P> <P>R2:</P> <P>no access-list 10 permit any<BR />no ip nat inside source list 10 interface FastEthernet0/0 overload<BR /><BR />ip access-list extended NO-NAT-R2<BR />&nbsp;deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255<BR />&nbsp;permit ip any any<BR /><BR />ip nat inside source list NO-NAT-R2 interface FastEthernet0/0 overload<BR /><BR /><BR />R4:</P> <P>no access-list 10 permit any<BR />no ip nat inside source list 10 interface FastEthernet0/1 overload<BR /><BR />ip access-list extended NO-NAT-R4<BR />&nbsp;deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255<BR />&nbsp;permit ip any any<BR /><BR />ip nat inside source list NO-NAT-R4 interface FastEthernet0/0 overload</P> Sun, 05 Jun 2016 14:57:34 GMT https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874982#M153294 johnlloyd_13 2016-06-05T14:57:34Z https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874983#M153295 <P>Hello&nbsp;<A href="https://supportforums.cisco.com/users/johnlloyd13" title="View user profile." class="username" lang="" about="/users/johnlloyd13" typeof="sioc:UserAccount" property="foaf:name" datatype="">johnlloyd</A>.. Will this allow my other traffic destined towards internet.</P> Mon, 06 Jun 2016 08:06:32 GMT https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874983#M153295 ansarjavaid54 2016-06-06T08:06:32Z https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874984#M153296 <P>yes, it will be captured by the 'permit ip any any' at the end of the NO-NAT ACL.</P> Mon, 06 Jun 2016 08:26:04 GMT https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874984#M153296 johnlloyd_13 2016-06-06T08:26:04Z https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874985#M153297 <P>Tyx brother its works</P> Mon, 06 Jun 2016 08:41:05 GMT https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874985#M153297 ansarjavaid54 2016-06-06T08:41:05Z https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874986#M153298 <P>np. thanks for rating my posts!</P> Mon, 06 Jun 2016 08:43:31 GMT https://community.cisco.com/t5/network-security/lan-ipsec-tunel-not-working-due-to-pat-router/m-p/2874986#M153298 johnlloyd_13 2016-06-06T08:43:31Z