Showing results for 
Search instead for 
Did you mean: 

Site to Site IPSec Tunnel and NAT


Hello all


For remote support possibility by a service provider we need to have a Site to Site IPSec Tunnel to them, as this is the only VPN type they offer.


This tunnel is working so far.

Now the problem:

Because i can't change the network configuration of the devices in the target network (not configure routes or a default gateway on them), the only solution is to use NAT.


This is working fine with a L2TP IPSec "dialin" type of VPN as there I have a interface Virtual-Template1 which i can configure as nat inside.

The target network interface Vlan1 is configured as nat outside.

Then a:

ip nat inside source list ACL-NAT interface Vlan1 overload

With this i have communication to the devices in the target network working perfectly fine if connected through the L2TP IPSec VPN.


But with the Site to Site IPSec tunnel there is no interface which I can set as nat inside.


Is there any way to use NAT in combination with a Site to Site IPSec tunnel?


Thank you in advance.


Kind regards



1 Accepted Solution

Accepted Solutions



Unlike with the L2TP IPSec VPN, with the Site to Site IPSec Tunnel i not get any extra (virtual or tunnel) interface.

It's about the order of operation,  NAT is performed after IPSec decryption. Which mean when the IPSec encapsulated packet arrived on your WAN interface (e.g. GigabitEthernet8), it will first be decrypted (source: 192.168.80.x, destination: 10.20.60.x). Then, it will performed NAT (source: 192.168.80.x -> [overload NAT]; destination: 10.20.60.x). 


Vice-versa, when the return packet is arrived on LAN interface, NAT is performed before IPSec encryption. which mean the packet (source 10.20.60.x, destination: will translate to (source: 10.20.60.x, destination: 192.168.80.x). According to routing table, it should exit out WAN interface (Gig8). IPSec encryption is then performed if  (source: 10.20.60.x, destination: 192.168.80.x) hit  the crypto map condition. 


So, if it's well configured, it should work as expected.  


Your configuration look good to me except the interface Gig8.


interface GigabitEthernet8
ip address x.x.x.x
ip access-group ACLWAN in
duplex auto
speed auto
no cdp enable
crypto map CRYP_MAP
ip nat inside

Do you have 'ip nat inside' configured on Gig8? 

View solution in original post

7 Replies 7

Rob Ingram
VIP Master VIP Master
VIP Master


This VPN is on a IOS router? You can NAT overload behind the interface the VPN is established on.