If NAT is configured on an interface to which an IPSec policy is applied, IPSec may not take effect. You can use the following methods:
Configure the destination IP address that matches the deny clause in an ACL referenced by NAT as the destination IP address in an ACL referenced by IPSec. In this case, data flows protected by IPSec are not translated by NAT.
Configure the ACL rule referenced by NAT to match the IP address translated by NAT.
After a deny rule is configured in NAT, you are advised to run the reset session all or reset nat session all command to delete incorrect NAT entries.