Cisco Support Community
Community Member

IPSec Tunnels - NAT and PAT


I have a setup with 1*1711 and 3*831. There is an IPSec tunnel between each of the 831 (remote sites) and the 1711 (main site).

NAT overload is used for all the routers.

Remote sites access a Terminal Server on the main site on the standard port 3389. This works well.

I want to have access also from the Internet to the Terminal Server on the main site,

but I want to use a different port number, let's say port 7888.

Is this possible?

With my current configuration, as soon as I insert :

ip nat inside source static tcp 3389 interface FastEthernet0 7888

...remote sites loose their access to the Terminal Server. is my Terminal Server's LAN address (weird subnet, but...).

Here is a small amount of the 1711 configuration :

version 12.3

ip nat inside source route-map nat-route-map interface FastEthernet0 overload

route-map nat-route-map permit 1

match ip address nat-acl


ip access-list extended nat-acl

deny ip

deny ip

deny ip

permit ip any


Help would be greatly appreciated.





Re: IPSec Tunnels - NAT and PAT

Hi Alain,

your static NAT statement works in both directions - inbound and outbound. So the packets from the terminal server will be NATed when they leave your main site before they enter the VPN tunnel. Order of operation is first NAT then VPN encryption.

This is the reason, why your VPN sites loose Terminal server access when you activate the static NAT.

What you can do is to use the 7888 port in all your locations and from the internet.

Did this help? Then rate it please.


Community Member

Re: IPSec Tunnels - NAT and PAT


Thanks for your answer. I did not want to reconfigure the clients on the differents sites...but it looks like I won't have any other choice.

I still find it strange that this can't be done...

Thanks again,



Re: IPSec Tunnels - NAT and PAT

interesting, i wasn't aware of this limitation.

i guess one way is to configure remote vpn for the user from the internet, and forget the static statement. it's more secure.

CreatePlease to create content