Traffic Forwarding Issue

Unanswered Question
May 20th, 2009
User Badges:

Hello ALL,

I have a VPN Concentrator behind my Cisco 2621xm router. The public interface ip on my concentrator is I can connect using the cisco VPN client when I issue my computer a 10.100.1.X ip address in the same subnet as the concentrator public interface ip however I cannot connect to my concentrator when I am on the public internet. The outside interface IP for the router is 24.99.x.x the inside interface ip for the router is which this interface is plugged into the same switch as my Concentrator public interface. What ports do I need open to forward the traffic from my outside 24.99.x.x address from the internet to the address for the VPN Concetrator to allow my client software to connect to the concentrator. Do I need to configure some kind of nat address on the router to make this work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Wed, 05/20/2009 - 09:23
User Badges:
  • Purple, 4500 points or more

You can try the following:

ip nat inside source static udp 500 24.99.x.x 500 extendable

ip nat inside source static udp 4500 24.99.x.x 4500 extendable

ip nat inside source static tcp 10000 24.99.x.x 10000 extendable

If you have an acl on the outside interface, you'll need to allow it through:

access-list 110 permit udp any 24.99.x.x eq 500

access-list 110 permit udp any 24.99.x.x eq 4500

access-list 110 permit tcp any 24.99.x.x eq 10000

You may not need 10000, but just in case your UDP doesn't work, you can use ipsec over tcp which uses 10000 by default. It depends on what your concentrator is using too though.

I also found this on Cisco's FAQ, but I couldn't get a direct link:

Q. If I place my VPN 3000 Concentrator behind a firewall or router running access control lists, which ports and protocols do I need to allow through?

A. This chart lists ports and protocols.

Service Protocol Number Source Port Destination Port

PPTP Control Connection 6 (TCP) 1023 1723

PPTP Tunnel Encapsulation 47 (GRE) N/A N/A

ISAKMP/IPSec Key Management 17 (UDP) 500 500

IPSec Tunnel Encapsulation 50 (ESP) N/A N/A

IPSec NAT Transparency 17 (UDP) 10000 (default) 10000 (default)



John Blakley Wed, 05/20/2009 - 10:18
User Badges:
  • Purple, 4500 points or more

It translates the port along with the ip address. (At least that's my understanding.) You can take the extendable keyword off and see if it still works.


It also allows for multiple global addresses to map to a single local address.




This Discussion