Showing results for 
Search instead for 
Did you mean: 


IPsec Overlaps netowork with nat overload to internet

Hello, Guys..

I have a doubt regarding a scenario that I built in the Unet Lab.

The image I have 2 Sites in a company: the LAN site 1 is and the LAN 2 site is I can successfully establish a VPN between the two site as evidence:



The main problem here is that I can't get out to the internet even with the NAT configuration correct. If I remove the NAT configuration used for the VPN, access to internet works normal, but the VPN crashes. Have any other strategy I can both access the internet as access resources of another site through the VPN?

The router of the two site are attached.

Thank you in advance!


01. You have to create ACL

01. You have to create ACL permit and apply into the crypto map of internet interface .


Configure the access-lists and map them to the Crypto map configured.

access-list 100 remark IPSec Rule
access-list 100 permit ip LANSITE1NW+Wildcardmask LANSITE2NW+Wildcardmask

Crypto map S2SVPN_1 ipsec-isakmp
set peer 177.94.X.X
set transform-set Router-IPSEC
match address 100

interface FastEthernet0
ip address 200.150.X.X
duplex auto
speed auto
crypto map S2SVPN_1

02. configure nat to allow the inside network to access internet 


ip nat inside source route-map nonat interface fa0/0 overload

This ACL 110 identifies the traffic flows using route map

access-list 110 deny ip LANSITE1NW+Wildcardmask LANSITE2NW+Wildcardmask
access-list 110 permit ip LANSITE1NW+Wildcardmask any
route-map nonat permit 10
match ip address 110

i hope this will help you.




Hello my friend.

Hello my friend.

Unfortunately the configuration you gave me didn't work. After the tests, can't do ping test for the 2 SITE through the VPN. Note that in the debug when I try to ping test to a SITE host 2 or to the internet, it give match IPSEC NAT rule.
Follows the .txt file with the configuration of SITE1 and images with the debug ip nat and the exit of the show ip nat translation

Hi ,

Hi ,

1. you have to remove
no ip nat inside source static network /24
no ip nat outside source static network /16
2.change ACL at site 1 because you local Nw and remote nw
#ip access-list extended NONAT
deny ip
permit ip any
# ip access-list extended VPN-CRYPTO
permit ip
3. at site2 ACL should be

#ip access-list extended NONAT
deny ip
permit ip any
# ip access-list extended VPN-CRYPTO
permit ip
4. clear isakmp - phase 1
#clear crypto isakmp

5. clear ipsec - phase 2
# clear crypto sa

6. initate traffic from site1 to site2

# ping 172.25.10.X source 192.168.X.X

check the crypto isakmp & then ipsec inbound and outbound .

7. site1 internal users will be able to access internet as well.

please give me rate if this helps you.

thanks ,




I imagine that you did not understand: the site1 LAN 's and the site's 2 LAN These two NAT rules that you asked to remove, are the rules to solve the problem of the overlaps of the two sites for them to communicate
ip nat inside source static network /24:  this rule makes the translation from source to, who is doing a test ping the from site 2 to site 1,  should send ICMP to a host of network instead, because I'm masking the origin.

The same logic follows the rule ip nat outside source static network /16, where the hosts from site 1 that trying to do ping test to a host in site 2, will send ICMP to a host on the network instead of the network, because I'm translating the destination.
So, if I don't get it wrong, the configuration that you are informing me it's like the hosts on the LAN 2 site really used the network, as it would be for me a simpler scenario, really just a NAT Exemption rule between the network not to do the translation would solve the problem of connectivity to the internet and maintain communication between sites through the VPN, but it is not my case
Just as a note, I replace the router for a ASAv in site 1, following the same logic, I've had success on connectivity to the internet as for communication on the site 2 through the VPN, without interference in the nat rule.
Now the question is: why the router there is no such interference in the NAT rule?