Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Double NAT with EasyVPN router

I have two 881 routers. One as EasyVPN server with a public static ip and the other as a EasyVPN client with non static public ip.
In front of the client router there is a modem/router from our ISP. It’s a cellular modem and have a built in router with NAT and I can’t set it in bridge mode. Therefore the cisco router behind the ISP modem/router using a private address on it’s outside interface.
I have configured the ISP’s router/modem with port forwarding for UDP 500 and UDP 4500 to the cisco router and it have been working good until we needed to change their modem/router.

The problem now is that the ISP’s modem/router doesn’t get a dynamic public ip address on it’s outside interface. They are now using NAT and I have no possibility to configure any port forwarding on their side and now the traffic is first using NAT in their system, and then on our ISP’s modem/router before it hit my cisco router.

My question is if it’s possible to setup a vpn connection with this or do I need to port forward UDP 500 and 4500 to the client router outside interface?

Thanks for any advice


Hi,If it is already getting


If it is already getting NATed in the public end, then it is quite difficult to say anything...... you need to check with your ISP how it is getting NATed.... if it gets Port address translated @ ISP end then you have real issues.... but if that happens in other way then you can do something....

Please get this clarified with your ISP and let us know.





New Member

Hi,Talked to the ISP and they

Talked to the ISP and they couldn't say anything except that they changed their service and oddly enough, it happened while we switched modem.

But we could get a static public IP for an additional cost that we ordered so most likely it will work.

But I'm still interested in the question if I really need to port translate the UDP 500 and 4500 traffic?
Doesn't the EasyVPN client act as a "cisco pc vpn client"? and when using the vpn client on a computer i have never been needed to port translate traffic in to the pc.

Regards, Boffen

Hi Boffen, As you said we are

Hi Boffen,


As you said we are not doing any NAT translation on the PC. But the IPSec uses UDP 500/4500 for IKE and NAT-T, when you have a NAT/PAT device in front of your VPN client which translates a private network IP with public IP, then if you look @ the NAT translations or debug output from the EASY VPN server, you should be able to see the information of UDP 500/4500 translations.

It is all about the protocol which client uses to connect to a VPN server in IPSec Client to Site scenario.




CreatePlease to create content