Hi Group, I gave a question regarding IPSec and NAT configuration. I am trying to configure IPSec between a 3640 and 1605. The diagram of the network is shown below: -------------- -------------- | | 150.26.154.249/30 | | -------fa0/0--||| 3640 |||--S0/0-------------------S0--||| 1605 |||--E0--- 192.168.64.1/24 | | 150.26.154.250/30 | | 192.168.128.1/24 -------------- IPSec channel -------------- IPSec needs to be configured between the 3640: S0/0 interface and 1605: S0 interface. Both 3640:S0/0 and 1605:S0 are using global IP address. Both 3640:fa0/0 and 1605:E0 are using private IP address. NAT is configured on both 3640 and 1606 to translate between the private and global IP addresses. According to Cisco CCO, "If you use network address translation (NAT), you should configure static NAT translations so that IPSec will work properly. In general, NAT translation should occur before the router performs IPSec encapsulation;in other word, IPSec should be working with global address". My questions are that, (1) What does it mean by "NAT translation should occur before the router performs IPSec encapsulation;in other word, IPSec should be working with global address"? Does that mean I need one more router at both end to do the NAT? (2) Can I do IPSec with the diagram show above? If I can, how should I configure the access-list? Should I be using the global or private IP address in the acess-list, i.e. which one of the next two is correct, A. access-list 120 permit ip 192.168.64.0 0.0.0.255 192.168.128.0 0.0.0.255 B. access-list 120 permit ip 150.26.154.249 0.0.0.0 150.26.154.250 0.0.0.0 I know quite a few people out there are CCNP-Security certified. Please help me out. Thank you very much for your help in advance. George Zhang, CCNP ___________________________________ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]