Cisco Support Community
Community Member

Source Static Nat and VPN

How do I allow the GRE protocol through to a static nat address? I have a static port entry for port 1723 as follows

ip nat inside source static tcp 1723 x.x.x.x 1723 ext

where tcp is specified I do not have the gre option for a protocol like I do on an access-list.

I have two systems that are using the nat otherwise I would use a one to one map and access-lists.

Community Member

Re: Source Static Nat and VPN

GRE packets are similar in some respects to TCP segments. They both may carry a sequence number and acknowledgement number. But GRE is not TCP, all I can suggest is that you deny the two hosts that are communication with GRE from NAT and hope that it will just be routed through if that is possible. Other then that i don't know what to suggest. good luck

Community Member

Re: Source Static Nat and VPN


you could try something like this...

ip nat inside source list 150 interface ATM0

access-list 150 permit gre host x.x.x.x



Community Member

Re: Source Static Nat and VPN

Does GRE need to be allowed in and out? I know that I have a working instance at another location that is setup one to one and I am allowing gre in and 1723 in and everything is working fine. All IP from that host is allowed out but GRE is not specifically allowed. Is GRE somehow separate in one instance but included in IP in another?

Community Member

Re: Source Static Nat and VPN

Hello again,

it seems you are tying to create a vpn tunnel between Windows machines both connected to the internet, and routers doing NAT between them, please correct me if not.

As I understand, to create that type of vpns protocols involved are,

PPTP uses protocol 47 (GRE) and protocol TCP port 1723

L2TP uses protocol 50 and/or 51 and protocol UPD port 500 src/dst and

protocol UPD port 1701 as tunnel maintenaince

NAT must be configured for all of them.



CreatePlease to create content