IPSec on ASA: NAT TRANSLATIONS static (inside,outside) GLOBAL-IP PRIVATE-IP netmask 255.255.255.255 nat (inside) 0 access-list NONAT ; NAT with 0 instance will avoid the traffic from getting NAT, NONAT is the ACL which will define which traffic should not be part of NAT. IPSec Phase 1 isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 28800 tunnel-group REMOTE-END-IPSec-Peer-ipaddress type ipsec-l2l tunnel-group REMOTE-END-IPSec-Peer-ipaddress ipsec-attributes pre-shared key xxxxxxx IPSec Phase 2 crypto ipsec transform-set TESTPHASE2 esp-aes-256 crypto map IPSECTUNNEL 1 match address INTERESTING-TRAFFIC crypto map IPSECTUNNEL 1 set peer REMOTE-END-IPSec-Peer-ipaddress crypto map IPSECTUNNEL 1 set transform-set TESTPHASE2 crypto map IPSECTUNNEL 1 set security-association lifetime seconds 86400 crypto map IPSECTUNNEL 1 set security-association lifetime kilobytes 86400 crypto map IPSECTUNNEL interface outside Intersting traffic object-group network SOURCE-NETWORK network-object host 1.1.1.1 object-group network DESTINATION-NETWORK network-object host 2.2.2.2 object-group service TCP-APPLICATION-PORT tcp port-object eq 80 port-object eq 443 object-group service UDP-APPLICATION-PORT udp port-object eq 80 port-object eq 443 access-list INTERESTING-TRAFFIC extended permit tcp object-group SOURCE-NETWORK object-group DESTINATION-NETWORK object-group TCP-APPLICATION-PORT access-list INTERESTING-TRAFFIC extended permit udp object-group SOURCE-NETWORK object-group DESTINATION-NETWORK object-group UDP-APPLICATION-PORT Static Route: route outside 0.0.0.0 0.0.0.0 1.1.1.1 (Default Route) route outside 192.168.1.1 255.255.255.255 1.1.1.1 ACL: access-group ACL-NAME in interface outside Verification: Phase 1: show crypto isakmp sa |