Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Troubleshooting static NAT/routing/vpn issue

I'm having an issue I can't quite figure out.  I'm setting up a Cisco 2821 on our edge to provide a site-to-site VPN to one of our clients. There is only one host that needs to connect to the client, and they require all addressing to be public, so we set up a public /30 to NAT our single host to.  I set a loopback up on the 2821 inside this /30 as well.  Traffic from the loopback works fine, but traffic from the NAT'd host doesn't seem to want to flow.  The VPN seems to come up fine when sourcing traffic from the loopback.

I can see NAT translations (with nat logging) correctly translating the static NAT.  I can ping the router's Loopback address as well as the static NAT address from the host, but I can't get to the internet at all, let alone the client vpn addresses. Packet debugging only shows me the traffic between my workstation and the router, and broadcasts.

I'm probably doing something wrong, and it's likely simple, but it's been eluding me all day.  Any help would be greatly appreciated.  My config is attached.  (Names and IP addresses have been changed to protect the innocent...)

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T7, RELEASE SOFTWARE (fc3)


- Static NAT: ->

Outside Gateway:

Host is using (router inside interface) as its default gateway.

router_VPN# sh debug
Generic IP:
  ICMP packet debugging is on
  IP packet debugging is on (detailed) for access list 101
  IP NAT debugging is on

sh log output: (pings to google and yahoo from the host in question)
Aug 24 14:34:44: NAT*: s=>, d= [25564]
Aug 24 14:34:47: NAT*: s=>, d= [25592]
Aug 24 14:34:53: NAT*: s=>, d= [25648]
Aug 24 14:35:05: NAT*: s=>, d= [25767]
Aug 24 14:35:08: NAT*: s=>, d= [25796]
Aug 24 14:35:14: NAT*: s=>, d= [25856]

Everyone's tags (2)
CreatePlease to create content