Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

The VPN client is unable to access the internal host configured for static NAT on the router

Core issue

This issue can occur when the vpn pool range of addresses are not explicitly denied from being translated when leaving the router.


In order to resolve this issue, issue the route-map command for static translation. Translation decisions can be made based on the destination IP address when static translation entries are used.

For example, if the router has this configuration:

Servers internal ip address:
Servers global ip address:
VPN client-pool:
Nat statement: ip nat inside source static

Then, this example shows the use of the route-map command with static NAT translations:

ip nat inside source static  route-map < nonat >

access-list 150 deny  ip host

access-list 150 permit ip host any

route-map nonat permit 10
match ip address 150

Note: This feature was introduced in Cisco IOS  version 12.2(4)T.

Refer to NAT - Ability to Use Route Maps with Static Translations for additional help with how to configure route maps with static translations.

Problem Type

Connectivity to the device

Product Family


VPN - hardware & software clients