Having Cisco ISR VPN troubles with 1 to 1 NAT?

Asset 6

Why you need a route map on a NAT statement

Posted on 21 June 2019 by Beaming Support

Cisco ISR VPN troubles with 1 to 1 NAT?

If you have the example NAT configuration on your Cisco ISR and a VPN you will quickly find that VPN traffic to the internal address of your NAT statement is not passing traffic over the VPN. But all other devices within the VPN proposal are passing traffic over the VPN. See below.

Cisco ISR VPN troubles with 1 to 1 NAT

Here’s how to configure a site to site VPN

R1 has the below command.

Ip nat inside source static

With the above command in place you will very quickly realise that host is not able to talk to the remote subnet of, the reason for this is that it will not hit your default NAT rule as it has been configured as a 1 to 1 NAT, this will then mean that any packet destined for will be NAT’ed out to To overcome this we will be using the above NAT statement with a route map to deny the VPN interesting traffic, see the below configuration for R1.

route-map 1to1NO-NAT permit 10

 match ip address VPN-TRAFFIC


ip access-list extended VPN-TRAFFIC

10 deny

20 permit ip host any any

Now all we need to do is amend our NAT statement, see the below

Ip nat inside source static route-map  1to1NO-NAT

After applying the above will be able to communicate with the remote VPN subnet.

Latest tech support posts – shared monthly!

Get all the latest tech support answers drop straight in your inbox. Sign up to our email round up. Add your email address below

  • This field is for validation purposes and should be left unchanged.