Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nat Issue with VPN - Cisco don't know

I have seen 3-4 posts with the same problem. No one, even cisco don't know the fix.

Using a cisco VPN client to a cisco router. I have put in no nat so I can ping the internal machines via ip and DNS name. The client has Nat Transparency but that doesn't matter. I have seen this setup working with netscreens which support nat traversal.

Relevant config

ip nat inside source static tcp 3389 interface Dialer2 3389

ip nat inside source route-map nonat interface Dialer2 overload

access-list 101 remark *** Deny Nat for VPN traffic and Allow normal traffic***

access-list 101 deny ip

access-list 101 permit ip any

Removing the static NAT resolves the problem but I need the nat statement in there.


New Member

Re: Nat Issue with VPN - Cisco don't know


I had solved a similar problem with a site-to-site VPN and NAT. Ex: NAT for TCP 3389 from external works, on the VPN doesn?t. Remove the NAT, works on VPN..

The workaround (from Cisco TAC):

route-map STATIC permit 10

match ip address 160

set interface loopback10

int loop 10

ip add

access-list 160 permit ip host

int eth0 (your inside interface!)

ip policy route-map static

Maybe helps..



New Member

Re: Nat Issue with VPN - Cisco don't know

Hey Thomas.

Just wanted to say that resolved my problem.

thanks for posting.

New Member

Re: Nat Issue with VPN - Cisco don't know

Is there a more complete write or documentation on this?

I tried fitting this to our situation but traffic still does not pass.

We are trying to pass traffic for a host that has a public static NAT through a LAN-to-LAN VPN.

New Member

Re: Nat Issue with VPN - Cisco don't know

Try this link:

I had statics that were using the dialer Interface so I didn't need to use the above.