Nat issue on vpn cisco isr 4321

Hello Forum
I have one issue here,I have configured the Ipsec with partner but the tunnel does not come up since i have to nat inside private IP to the Public IP and on the access list i have to list the inside host (nated public IP ) external host Public IP with ports under TCP service but the tunnel does not come up.
Also on the same IP once i nat the Private IP to Public IP some of the service in which the access list have been created using that Private IP goes down

ip nat inside source static

ip access-list extended 128
 remark IPSec SERVICE
 permit tcp host 6.X.Y.230 host 197.Z.A.136 eq 80

Hello Elias

There could be a few reasons why your IPSec tunnel isn’t coming up. Here are a few things you can check:

  • Phase 1 and Phase 2 settings: Ensure that the settings for both Phase 1 and Phase 2 match on both ends of the tunnel. This includes encryption, hash, authentication method, Diffie-Hellman group, and lifetime.
  • NAT-T: If one end of your tunnel is behind NAT, you’ll need to enable NAT-Traversal (NAT-T) on both ends of the tunnel.
  • Access Lists: The access lists on both ends of the tunnel need to mirror each other. This means that if you have an access list on one end that permits traffic from A to B, the other end needs an access list that permits traffic from B to A.
  • Routing: Ensure that your routing is set up correctly so that traffic destined for the remote network is being sent to the correct next hop.

As for your NAT issue, it sounds like your NAT rule might be conflicting with an existing service. When you create a static NAT rule, it will take precedence over any dynamic NAT rules. If you have a service that’s using the private IP you’re trying to NAT, it will be affected by the static NAT rule. You might need to reconfigure your NAT rules or the service that’s being affected. It’s hard to say without more information about your network setup.

Some notes that may help you to deal with NAT and IPSec:

I hope this has been helpful!


PS I “sanitized” your configuration you shared just so that the public IP addresses are not made known to others for security purposes… :slight_smile:

Thank you very much for your input.

The problem is that i have other Tunnel which use private IP for encryption with new request that i have to use public IP for Ipsec but my server are running with Private IP so same server IP will need to be on various VPN tunnel in which one tunnel need Public IP so once i configure static NAT other service goes Down.
I think now i need to configure NAT which does not affect other service using the same Private IP to Public

Hello Elias

It’s not completely clear to me the topology that you’re describing, but it sounds like you’re on the right track. In order to resolve the issue, you may want to take a look at policy NAT using route maps as a solution. I can’t help you specifically without knowing more details of your topology and addressing scheme, but I suggest that you take a look at this lesson for more information:

With policy NAT you can allow the specific traffic defined in your access list to be NAT’d, while not affecting the other services using the same Private IP.

Let us know how you get along, and if we can be of further help.

I hope this has been helpful!


Thanks Laz

However to be clear is that i have this problem of failure to implement VPN tunnel site to site,due to NAT issue from Private to Public IP address.
I need to establish a secure vpn tunnel with the encrypted traffic from inside to outside but the problem is once i put NAT statement other service using that Private IP goes down.
so i need to establish VPN tunnel without affecting other services.
I tried policy base NAT but it seems not working