Showing results for 
Search instead for 
Did you mean: 

IPSec and NAT


Hello. Can anybody help to solve my problem.

I have two sites connected to each other using IPSec VPN. Site A: ASA - LAN, WAN:, IPSec from Internet. Site B: Cisco 2821, LAN, WAN: IPSec I need to use static NAT on 2821 for host from

Cisco 2821 configuration:

interface GigabitEthernet0/0
 description TO_INTERNET_CDK
 ip address
 ip access-group INET_IN in
 no ip proxy-arp
 ip mtu 1400
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 crypto map SITE_VPN

ip nat inside source static no-alias

If i ping from internet, i see packets on host, i see reply packet too, but packet does not leave Cisco 2821. Encrypt and decrypt counters are changed in sh crypto ipsec sa | beg

I think, problem is because ip nat inside absent in chains, i use one interface for incoming and outgoing traffic for host on CIsco 2821.

On internet host i see "Blocked incoming ICMP packet (ICMP type 0) from to" when i ping from this host.


Rising star
Rising star

It is difficult to follow nature of the issue you are facing on your setup.

If I understood right, you want users at Site A need to accessing your host on this IP or on this IP: at Site B ?

Not right. I need host from Site A become available from internet using IP that belongs to Site B. If i ping from internet i see ICMP packet on host, and i see respond packets too, but respond packets do not go to internet from Cisco 2821. See attachment.

You want Internet traffic for host: traversing from Site B, via the IPSec tunnel to host at Site A ?





Yes. I need host on site A look like host on site B from internet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: