Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Permitting GRE with static NAT on 1720

First off I'm a newbie at this and have spent the past 20 some hours researching the correct answers and am suffering from fuzzy-brain so please forgive me for missing the obvious.

I've got a standalone Win2k Server running VPN server on 192.100.100.x network.

A 1720 with a T1 and fastethernet.

They have a block of 23 legal ip's.

I must allow upto 15 VPN clients to connect to the Win2k VPN server through the internet. No other services are offered.

The local network needs internet access only.

I have the 1720 currently configured with PAT through one public ip for the local networks internet access.

I also have another public ip dedicated to pcanywhere access to the server using static NAT, and lastly dedicated one more public ip to the VPN server through static NAT.

The VPN mapping is:

ip nat inside source static VPN_SERVER_LOCAL_IP PUBLIC_IP.

This works fine,... but I think it is too unrestricted, SO when I try the above static entry with TCP/1723 it will not connect. It appears to me that I need to allow GRE through, but see no way using the above static syntax.

I suspect creating an access list is the correct way, but am afraid that this may cause latency problems if not configured properly. This last thing is where my fuzzy-brain situation is occuring and thus the reason for my question.

Heres the current config.

ip subnet-zero

no ip source-route

no ip finger

ip name-server





interface Serial0

ip address

! this ip is the providers public one, not from the

! above mentioned registered ip block.

ip nat outside

no fair-queue

service-module t1 timeslots 1-4


interface FastEthernet0

ip address

ip nat inside

speed auto


ip nat inside source list 1 interface Serial0 overload

ip nat inside source static VPN_SERVER_PUBLIC_IP

ip nat inside source static udp 5632 PCANYWHERE_PUBLIC 5632 extendable

ip nat inside source static udp 5631 PCANYWHERE_PUBLIC 5631 extendable

ip nat inside source static tcp 5631 PCANYWHERE_PUBLIC 5631 extendable

ip classless

ip route Serial0

no ip http server


access-list 1 permit

access-list 2 permit

New Member

Re: Permitting GRE with static NAT on 1720

You can’t run IP protocol 47 (GRE) over a PAT address. NAT is okay, not PAT.