Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Static NAT VPN Problem


I am having an issue with my NAT configuration. I am fairly knowledable on Cisco routers, but by no means an expert.


Cisco 2611 with two Ethernet ports.

E0/0 (WAN) - DHCP address (69.x.x.228) connected to a Time Warner Cable Modem

E0/1 (LAN) - / 24

E0/0 is configured for NAT outside

E0/1 is configured for NAT inside

ip nat inside source list 115 interface E0/0 overload

10.x.x.x. clients have no issue access the internet and everything thing seems to work fine.

However, I have one client on that is used to connect to a remote VPN site. I cannot connect using VPN. If I add the following statement:

ip nat inside source static interface E0/0

Then VPN works just fine? however you can see that it breaks several other things.

I have tried to put in a static NAT with a specific port mapping for this address but that does not work either. Since I only have one "WAN" address I'm not sure how to get around this.

Any help would be appreciated.



Hall of Fame Super Blue

Re: Static NAT VPN Problem


What is happening is that the PAT on your wan interface is changing the source ports from the VPN client. This is breaking the IKE/IPSEC negotiation.

What you probably need to do is use NAT-T which add a UDP header to the IPSEC packets. I've attached a link that explains what it is and how to enable it on a Cisco client (don't know if thats what you are using but all vpn clients should support it ).

You will need to talk to the people who control the remote site VPN device as that device has to have NAT-T enabled as well.



New Member

Re: Static NAT VPN Problem


Thanks for the info. I looked at the document and it refers to a PIX setup.

I also checked with our remote location and they do not support NAT-T nor does the client I am using.

Any other throughs on how to get this working?

Tnx again.

New Member

Re: Static NAT VPN Problem


I solved my own problem!!! ...although I dont quite understand how/why.

In the end I changed this statement:

ip nat inside source list 1 interface e0/0 overload


ip nat inside source list 115 interface e0/0 overload.

ACL 1 was: permit

New ACL 115 is: permit ip any

I'm not sure why using an extended ACL works when a standard one does not... but it works fine now and I can VPN outbound and all other services still work.



CreatePlease to create content