Showing results for 
Search instead for 
Did you mean: 

One-to-One NAT interfering with Site-to-Site VPN

Daniel Boling

Relevant Topology:

(Corporate LAN: > (Catalyst 3560 L3 Switch: # ip routing) > ( > (Cisco 1921: edge router) > ISP

One-to-One NAT statement in edge router:

#  ip nat inside source static <inside local ip> <inside global ip>

Packets destined for our branch offices across IPsec Site-to-Site VPNs, originating from the above inside local IP, change their source address (at the edge router) to the above inside global IP, forwarding traffic destined to branch to our ISPs gateway, instead of over the VPN tunnel.

After establishing a remote IPsec VPN connection, via Cisco VPN Client, I am able to ping the inside local IP specified above with no issues (the router sends the traffic sourced from the above inside local IP before applying the One-to-One NAT statement).

Relevant configuration:

Remote VPN ACL:

ip access-list extended REMOTE_VPN_ACL

permit ip <ip local pool subnet> any

permit ip any

Site-to-Site VPN ACL:

ip access-list extended SITE-TO-SITE_VPN_ACL

permit ip

permit ip


ip nat inside source route-map INTERNET_BOUND_RMAP interface GigabitEthernet0/1 overload

Route Map:

route-map INTERNET_BOUND_RMAP permit 10

match ip address INTERNET_BOUND_ACL

Internet-bound ACL:

ip access-list extended INTERNET_BOUND_ACL

deny   ip

permit ip any

permit ip any

If I remove the One-to-One NAT statement, both the Site-to-Site VPN and Remote VPNs can communicate with the relevant inside local IP.  With the One-to-One NAT statement active, only the Remote VPN can communicate successfully (as the NAT statement change the packets source address to the inside global IP). 

Why is the One-to-One NAT statement only applying to packets destined for our Site-to-Site VPNs, and what is the appropriate way to prevent this?

Thank you

1 Accepted Solution

Accepted Solutions