Showing results for 
Search instead for 
Did you mean: 

How to configure NAT overload for unsecured traffic on routers configured for IPSec VPN


Core Issue

Router-to-router IP Security (IPSec) Virtual Private Networks (VPNs) are used to protect site-to-site data transfer over public networks. The site-to-site traffic that needs to be protected is tunneled by the router on the edge of the network to its remote IPSec peer. 

Edge routers are also configured for network or Port Address Translation (PAT) to assign globally unique, routable addresses to devices with private IP addresses. Network Address Translation (NAT) and IPSec might be needed together on a device when the same link is used for reaching the Internet as well as remote branches of the corporate network. While address translation of non IPSec-protected data is necessary, the IPSec protected data can be allowed through without address translation.


IPSec traffic can be exempted from address translation with route maps. For example, to allow IPSec-protected traffic between the private network and remote site network to pass through without address translation, perform these steps:

  1. Define an Access Control List (ACL) and choose the keyword deny for all IPSec protected traffic. To define the ACL, issue the access-list command in global configuration mode, as shown in this output:

    access-list 110 deny ip

    access-list 110 permit ip any

    This ACL denies traffic between networks and, which is IPSec encrypted,  while permitting traffic to all the other networks.

  2. Define a route map and bind the ACL to it by issuing the match command.

    To define the route map, issue the route-map command in global configuration mode and match the command in route-map configuration mode, as shown in this output:

    route-map map1 permit 10 match ip address 110

  3. To specify the inside addresses that need to be translated, issue the route-map command in the ip nat inside source command, as shown in this command:

    ip nat inside source route-map map1 interface Ethernet0 overload

    The ip nat inside source command issues the route-map map1 command to determine which inside addresses need to be translated. The route-map map1 command uses access-list 110, which is configured with the keyword deny for traffic between the two private networks being IPSec-protected. The IPSec-protected traffic is not address translated. However, the traffic from the private network that goes on to the Internet is port address translated to the address on the Ethernet interface.

For additional information on preventing address translation of IPSec-protected traffic while using NAT overloading for the unprotected traffic, refer to Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between Private Networks.

For additional information on preventing address translation of IPSec-protected traffic exchanged over a router-to-router, dynamic-to-static IPSec VPN, refer to Configuring Router-to-Router Dynamic-to-Static IPSec with NAT.

For additional information on preventing address translation of IPSec-protected traffic exchanged over a router-to-router IPSec on Generic Routing Encapsulation (GRE) tunnel, refer to Configuring Router-to-Router IPSec (Pre-shared Keys) on GRE Tunnel with CBAC and NAT.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards